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(54) Abstract Title 

Monitoring computer network traffic data 

(57) Network traffic probes 127,137...147 are identified and attempts are made to configure the identified 
probes to generate (506) network traffic data sets which are as close to a preselected common data format as 
possible. Application layer (a!) traffic data is collected in addition to network layer (nl) traffic data when 
possible. In an RMON2 embodiment, the common data format includes the use of delta count values, as 
opposed to absolute count values, and terminal count mode format as opposed to all count mode format for 
the presentation of RM0N2 application layer information. Network data is obtained from a probe using one of 
the available RMON2 table formats, in the following order of preference: alMatrixTopN(Terminal Mode) 
alMatnxTopN(AIIMode), alMatrix, nIMatrixTopN and nIMatrix. A database 510 of collected network traffic 
information which includes multiple parallel sets of data stored at different resolutions is created and 
maintained (508). The data sets for each individual resolution are stored in a separate FIFO data structure and 
with the oldest data records in the FIFO being overwritten when allocated data space becomes fully utilized 
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*" V *r T° P.^^ a l*^Ctrix .data 623 in the common data 
format, both the delta generation operation 632 and the 
terminal *c6unt conversion operation 630 are performed. 

5 . . -To place nlMafcirix data 624 into the common 

* £ * ^ata* ,format ' the delta- genieration operation 632 is 
* performed'. ' ; 

- : " - ; - Thtfs,yby^^ generation 
10 operations- and/m^-termlnar count conversion operations, 

it is possible to convert , data tables 622, 623, and 624 
intjjD : ( th%- ; desired ^conimpn :: <Jata oxmat- 

In accordance with ; ^:1e;£empl^ of 
15 the present invention, the conversion of absolute count 

' data to delta count' data may be performed in accordance 
with' the" following exeSi^lary pseudo code: 

Begin {delta count generation operation) 

20 

if the received data is the first set of data received 

j : ■ . :*.av:;from; ^th^^prober f. ^.zr- -.5? 

Begin if 

■ ^csj Cz .ax r^C- t .7:-'.: r. ••. - - - - 

25 _ ^ ^ :^ „^- Store the data table received f roro : the 

• 1 : c " *~ O-^f". prob^-in the teiTiporary' data table' storage 

, . _ r „ . . . r ;_., rv . location, associate^ with—the specific.;*.. 
"** '*" ' * ' "* jf>robe from which the data being processed 
... ~ „ ^ r : .was collected;.- j : ■ t - **uo: v ~; zilix:>^c\- 



30 



use- the data;., included in -the data table as 
delta data; ■ ^ 



end if , _ -j. - - - - 

35 ~ else . 

:. v:r i- Begin' eT S e ; * * ' * 

"1- " - V. .^c^re'trieve the previously stored' data table 
. from the temporary data table storage v 
: :: ■,: location associated 'with : the" specif ic" 

m , r probe from .which the data* table being - 

^ J ' processed' was collected; 
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30 



,• y ; .^e ! . dat^ collection and conversion 
routing , 6Qp jmy .be re-executed. -each time it -is., desired 
to collect network traffic, data, .e.g. ., .periodically at 
30 minute or. hourly, intervals.. . To : simplify absolute 
;: coun.t. :: dat^. .to. .delta count data conversion, in one'-, 
embodiment., the. period .between data collections is 
^ e f* ted :- to ***ch. the., period -for, whic?h the delta, count 
is to be generated, i.e., the delta count represents 
the network traffic detected since the last time the 
^^ p -:^ >ff f f da : ta .table was retrieved. 



. . Fi S f ♦ . 6 ?.>A S additional . illustration: showing 
re 5?ived Probe..data, .in „the,,form 2 of a-networkr 
tr ** f ff . d 5 ta r kab?- 6 ', is processed, by. ^the .data c collec,sion 
15 -;-&*z?9*y*$siQn routine 60Q e to. ; g.enerate^a-.network.: r 
I * "OT C ; ; da £ a , t^le, 64 0 - in. the. .,d§si^d„comTOQn data /■ 
format (with the nlMatrixTopN and nlMatrix tables of 
cours ? ; ^ a ^in? i: the .deseed -but unavailable application 
laye * ^n&^tionhr. * Jive cPP^s^e iEput ^ata;.r . - V 
20 tab ^; 6 ?^'- f^-. 623, ,624 and ^S^^shoym, on rthe left 

side of Fig. 6B. The ovals 630 and .6^2.^ep^«senjt:^ ». 
terminal count conversion and delta generation 
operations, c £&B*KXfcq>lg~ ,, ^s^iU.ustrated,- the 
a ^ a 5 t ^^°^^e5^na] 5 ;Count Mod&h ^^X&trjj&o&i. data 
ta M e j? * ax $. ^ a feady in ,^he desired f common;. ^formate,. Thus, 
COn ^ e 5 si £° ^rations, need not -be perfprmed, on input 
tables ,621 and 625.. 



- j: How ever, to. jpJLace. the t ..a^.toi^opNL(All Count 
*°??} da ^ a 622 in the common data, format,, the., terminal 
count conversion operation 630 is performed.. , 
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- ' ^From step r/ 614Y operation proceeds to step 616 
- ~ wherein : a determination is made as ; to Vhefthear or not 
''' - there are any remaining "probes from Which d^ta needs to 
be collectedv- 'if there^-are prbbes remainifig/ from 
5 which data has nbt Been 'collected-/ operation proceeds 

from "step 616 to step : 6^6 V wherein the process of 
- collecting network ' tra£ fie "data" from the next probe 
commences; - " " r " J : * 

10 If*, 3 however , in s tep 6 1 6 * i t is det ermxried * 

that there are no more probes from which data needs to 
b<s collectedv ; evg. v ^ i v € is d4termined j that network 
traffic data hSs' f B&^n 3 coliectedv processed and "placed 
in t&e 'buf f er-'f or £ach of : the probes'" identified' in" 

15 table '169? c: o£>erati6il "proceeds to step 618^W5ie±-ein the 

data collection 'iitd cfon^efsion* Routine 600' is Stopped. 

;: .': :£/ ':<r:r'iw. - *. . \ r> :£:; ; * ; Jim ;r 

includes *da:6a f^ies°f bf ^acfi d identf fr^d ^roB^ if 7*; * 
20 t : . 137V 147 cbrr^s^biidi^g tb tlie^jush: :j con^iet6d' ; dISdL"^' ; - 
collection ^aySl^. ^ 5 ~ • - : ' - 

J - By^H£ : ~^ datk* collection aiid " ■ ' 

cori^ersibif 'ickibiner 60d :o stops-, : data "from each ' of ' the 
25 netwoi* -t^f i^^ofes" 127 ; IS^, 14T Viil tikve : beeh 

cbnverted f D % : ^ : re^i3fed, J intd the r dornrnbn foritiat Used' by 
the system of the present invention "and stored in the 
buffer 173. The buffered network traffic data existing 
•in -a coirattbrf format 'iriay" then used, e.giV in the 
30 sxobs e^erit 1 ' generation- of a database 'of network traffic 
inf ormation-.' : * : : ~ : ^ *"*- : " : - • - 

i ' 

i 
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- ?^®P: 6X2^,- absolute count data is : converted to , delta 
. co ¥nt ; .data .* -, ..In step 610 ; AllGount Mode data is 

converted* t^terininal _ ebunt -mode data. : Once .the - ,.. 

conversion to terminal count mode data^is completed . 

operation proceeds to step 614 wherein the resulting 
• ~ datar.tsble-; is .stored .in the buffer 173. 

r.If- in step 608 an nlMatrix- table is -received, 
t3 ?§ /absolute count data. needs to be converted -to .delta 
-.count, data to^ place it in, the common gfornat^bef ore. 
^. storage ■ in. the- buff er - 173 ; fc -Ngte ,,.thafc, 3 terminal. -count 
conversion-need, not be -performed s^nce^application . r 
layer ; -conversation r infor^^ 

nlMatrix table. In step 608 when an nlMatrix table, is 
received, operation proceeds from step 608 to step 612. 
a In sfegP:642 ; ^absolute;, count data q is E converted to delta 
county da $a», .... Once.,- the ~ conversion .of ^absolute ^punt ^da ta 
to u r.d^lta 0j cp^t e data^is vcompleted, ©pera£ipn proceeds* to 
step 614 i: wherei^ x ,feheiresulting da|a :s fcab.le,,is: : *tQre& ( in 
the :: buffer:173.. ; -^ . 3ZZ ,,„,.-.. ........ ~_V" ~ 



J::,vco -i-rrsXf • in step,. ,6pg c ^ r »lJtetiPixTo^5tabl0. -is. a, „.. 
revived, ^ the .data is. already in -delta, -count, format.., 
In addition, terminal count conversion : need.. not be ... 
performed since application layer conversation 
r.-Anf Pronation .-is ..not -available - f rom s the ..received 
nlMatrixT9pN_ .table. £ in : step 608 r when^n^nlMatrixTopN 
M^ 1 ? -is,. received,, operation prpceeds^rectly^tp .... 
step.. 6.14 wherein the .received .data .table is stored in 
30 the -buff er 173. . . ' " 
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performed on thei : received -network tra-f f-Ie ::> data :: table to 
place it into the '-conation data format uibed- in^ accordance 
with trie" present invention 7 depends -'on 3 the type : of data 
table received. - ::r ;: l:: : " v ■ z 

If instep 608 ah alHatrixTopN (Terminal -Count 
Mode) table is received, no format conversion 
-bperatuons :J ar$ -requiredv - Accordingly, - when an 
-alMatri^opN(fermifial Count Mode) table is received 
operation proceeds' from stiep 608 directly feo Step ; '614 
whefrein t^e^feceived" dsita table} " including*' time* stamps 
indicating ^the"€i"in^ &t i;1 which -the ne£work-trAf f ic v - r 
occriirfeifr-i^ Stored -in" at Buffer' i73 : included in-^*" - 
memory ■ r ^ 1 -*' :w "" r ' ;c: . 

tie 7 : 7 i-ijf ■ ^ " l st=ep : 608 ah ; ^lMa6rixTopN(AllCd^€ Mode) 
r table lis ^refceirv^dr : tKS datei- heeds- to be converted y t6 
tebfihiiial : i cbuht^irtioSe £6 - place Ht ^ih" ; 1she : 'Cdirafton- formal 
b^f bre stdr^iEl j %^he buffeif ^ -Ih^su^-a^case £ ^ " a - * • 
operation proceeds from step 608 to step 610^ r 'Sn ~- - 
step 610 AllCount Mode data is converted to terminal 
mode ^cdKmt -dafia ?"* -Once- the ^cSn^er^sidn^to -terminal count 
modfe r data 7 is cbiripleted t£K©- requiting : datet : tablfe ~i*s ' 
stored in £ tKe buf £ er : 'l73 . : rr: c - : " ' " :: 0 ' * 

r , • - j«£ c ^ ^^ r t eE> c * 608 ^alMa tr ix ' ! tatile - is 5 received , 
the absolute coaint vy data included therein hfeeds :: to ; be* 
concerted " to delta "cbunt data' ifid ail v mbdei -count -data 
%eeds fc tb' be converted- to- terx^hal : courit ihdde datarto 
place it in the common format before storage in the ~ 
buffer. In such a case, operation proceeds from 
step 608 to step 612 and then to step 610. In 
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10 



step s ^\; 7r J^Jf^je^m ? 600 is executed periodically, 

e.g., every 30 minutes, by the CPU 154.. As 

illustrated, the data collection and conversion ' 

*°H tine . ...fiOA. s.t^r^.^.step.6.02. , During this step, the 

f&P^V. 4?°.. .ob^ained^ f rom memory by the. CPU 154 and 
executed. .. . . ■ - 

• " 3 f r ° in - s - fc : f P 602 operation proceeds , to step. 604 

wh 1£: e tf? Jc^flffJ?* information,, include^ in.. .table~ 16? 

<4H Pf obe ^ presen |, i n = ^he network^, and^ the \ network 
e -fgffi-g ^ta^fele fpp»z%.£o r bemused ikth,.^" probe, 
is accessed. Thus, the data^coilecfcipn .^df qpnyersion 
routine 600 obtains from memory a' lis t of ~ probes^ that 
™?5. e A^te.c ted during the, previously., discussed 

1 ^j£J*& 2 ^M n i J^^f-ff tI .?l? d ^nfprnjtion on J the data 
table whic|x the r probe., 4" to^suppli./tol the data': " 

t:si l-'ct-oo . 4 i ., ., „ , 

; ?^sr;w oj% fc fPf ^hj.oygh^ ei^ are used £0 collect and 

i J* d i"£ d 3 l ?^~ P£S& e - J£»£ . was" detected during'' the ' " 

~ol- h.v:fv-c°^i-^%^,9', operation proceeds from 
25 r ? t ? ?-iP£ &i$^c:$ 0 $cl Z?* ,flf p VoVthe^proc^ssor^ 154 ' 
requests k that .the probe, from which ' dtta is to be"* ' 

f ?T j-^Ma??^}^ -tAe v network traf f ic v data tV the 7 
. ? r x pc 1ffP r 3*? in |f t^ie^rmkt wifeh wa/' associated 
with the probe in the probe' inf orm^tion '/data ^ table "169 . 



15 



20 



30 



: r ^. c 6 .°?', , -^^..J^SP®?*^ 3 network traffic 
data ^^f-M r Ir^S 1 v ^ d ^ ISf - . P^^f . The processing 
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ex tending in time, over - multiple "periodic: ' 'data 
collection cycles. 

" -* The dlkta in hJetwot-k traffic" database" 5TCT can 

5 be accessed, e.gl , in response ^erifes, 1 processed, 

filtered and displayed and/or printed. Data 
processing, filtering and display generation step 515, 
' which may be "Implemented by executing* th4 ^routines 168 
oh the CPU 154' ', r is' responsible for pfeirf oriitLng sublf " 
10 " operations . Tlie output " of k tep r 515 - niay" takef sbveirar" 

forms" including t£aV of" a c printed dbculhent' or a'iElgure 
on the display device 152. 

: In ' tiheP Fxg l 5 : ef^odiiffent * c k Cir^lef arid Tines 
15 display of J network* "traffic , w generated 1 in accotdkffce' ' 

with the ^ preset ^invention; iV showri' oU^'the^ '* 
display 152. In one such embodiments^ ^clrfcles" 'aW ii'sfed 
to represent conputer networks or groups of computer 
networks ^ tJ Points wi£hln* a circlfe aSfe "tiSfefif' to represent 



20 devices located : wltIiiri J the ' conput^Sr * nestwbrk'' r e^jpif e^serit ed 

by the surrounding circle'/ Li'nek** betwe^ 



... r 



used to indicated detected conversations /" whiTe the 
thickness of a line is used to indicate the amount of 
data' transf erred" during the monitored conversation. 
25 Note that ih the Fig'. 5 embodiment thfc outer circle on 

the display 152 ^ represents " the gr 6^ networks" r " 

i 1 lustra t ed° In*' Figf. " 2 whiie'eacli'of the" inner circles 



represents one of the' coinputer networks 120, 130, 

30 Fig. 6A illustrates a method 600 

corresponding" in " one exe^lary Wnbodimerit of the 
! " invention, to the" data col lection and conversion 
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i2 ^ T ^f i^l?: c ? 1 lection ..and conversion step 504 
re ? r ff ^!B d ^| fpi^n fopatting .^pera^ions 
W 4?5 fif^^leniente^ .usiijg coigputer ..software,,, i a -the 

r.i??52 6 ? ^ S^^lm^m .conversion V.-^'-- 
^?^ ne f-iM%£^ 0 : CJtm^roi the 154 r " 

In accordance with the processing performed 
lr :^ he c i^M?ti?ii : and. conversion ^nodule 504, 

* ^ ne ^j| ^ ff , ic ^ ^-c^Llec^ed at' .pe-ripdic. -intervals 
s,:-Z fro ^. f*:?h?f «J*e Prpbes, and.^onverted, in- - 

ac cordanc.e w±i^p^ pr ^ s ^ inye^ion^ pto ; the . ^ I 

d J Ffsff^t&u?*®^. fpripat :di5cuss.e4, ahpye^.-Thel ' - 
?f?^?f£* 3 P^^ed^^^ modple^V will^be; ' '.. 
Bpf^.Hfe ^e^jter^detaAl ^^^^^"^.1... 

~o~2 £ ,. 3 3;^Putpu| .of ..the data • collection and r r 
fo ^ tins cfkP-.: 5 ^x is ,a set o| 5 networ^"tra^ T 1^1 
Stl a cf °^'Y h f ?,:^ta ,f ron ?oY ar4pus,Drobis.luit 

has beeg ; converted inta c the co^on^ata format ..of ^-the 
15f s fg t 2 fef§t i gR3 ^? ,.network^r^i s .data, ,50 6 : . , " r ^ r 
repr^s|nt| s dg£a %1 « row jmjl^iple -.probes^collec ted - during 
one periodic data collection operation invoJ^ns^he. 
collection of data from probes 127, 137, 147~. The' set 

t£$*2&:*&*ft<: ^t:a : set generation .and. 4? malntenaace • 

s 5.08 : , s M^W^^^Vii; ! the 

. .^^on ,apd. jnai^teAanc^. module, 54D.8 is 

IcT^fT^ ^.gejierating inujti^e' paralier .seta of " 
,ft ta , •^. < ? c°X e ^:i^^%.b»fe -diffex terms' of "the 
** a °i£Hf??& ^^.^^^irifV^toVi. stored 
xn each data set. The group of data sets generated by 
the module 508 represent a network traffic database 510 



BNSDOCID: <GB 2337903A_I > 



-32- 



6nce : the management ~sy steift^lSO is 
ini-tialrx'zed; -collection/ processing irid storage 6f 
-network data "commences i ^-Figrure 5 illustrates the 
collection'/ 'processing;" storage * aiid display of network 
traffic data in accordance with" ah exeriiplary embodiment 
of the present invention. 



- in : £ F i g . : r 5 :: the group o f ne r t works 120 ,~ " 1' 3 6 / 

140-, f rom* wHrch netwdtk" 'tr^f fife iiata is" cbllecVed, are 

•.,«(. ........ : . . * ... - -. r. ' ■ ■ ^ ■"■'-'v r:/* *. V 

generally* ir : ¥pres£n r ted : as* a ~group" by "the block "502. The 

probe k 12*K "-13 7^° i : 4 L 7 3 whi ch :: rnohi t o"ir^each * network" or 

network segment 5 s'erVe ' ks 1 the" 'sour c# ' of Network 1 ' trat f ic 

data which- i& supplied to the -knain^gemeht 4 station 150 . 

Network 1 traffic^ dSfca r , : * in th^ ' "form cTf a data 'taBleV' is . 



supplied to the management station from each probe 127, 
137, i4-7 periodically 1 ' in rfespo&s6 A to J, i-e^iests from the. 
management; 1 s t a t aTon- 1 5 0 , } for the " ihf Orthd t i ohV The 
ara^owS,^ leading -f rom c 't&e /; prbb<5s' : 1277^ 137/ : 147 J feo^tlie 
data °col r l J ec t ion fi Snd''" conversion' J ste^ 5 6i of ~ the 
management "sta'tioii -^15 0/ represent th6 passing of the 
requested* 'Network ^^trai&f ic°data t§ "the' m^agement " " " 

* ' J - r wi'£if iif ^Me' '^anag^rient' r ~£tatibi5 T50^ ' 'twere are 
se^erkl 3 -proc^ 5 6'8 , "5 IS wliich 'are used 

'to represent ^ariouisr processing "operations 
perf ormed' bV*"'®^ 1 i^^kg^ent" station 150. r In a'didition, 
theore "are" feeVblr^l %fdcfkS, n e.g./ blbcks $06? _ 510" and 152 
Which" afre" us ed v tcr iTlustrrate the input ank output data 
associated i^th the" varic!uis 'p^cessihg operations. 
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probe- s^ta^is^ in nlMatrix format. . With the 
successful updating of memory in' step '330 to reflect 
the presence and data table format of the detected 
probe which was just initialised, operation proceeds to 
step 322. ' 3 - 

■ ...* n ^ tep ? 2 ? .* .determination is made as to;. 
. wfiether ^anjr ^probes "detected .in step 3 04. remain 
'"uninitialized:.' if there is mother probe, to. be J ' 
initialized, operation proceeds once "again to step. 306 
wherein initialization of the next probe begins. 



.-"sft Step - 3 JJ?., i^t i£ Ae^^njs^ t>at no.' 
probes remain "tV be initialized'/ operation proc,ee^ , |:o 
step 332 wherein the initialization routine "is stopped 

Pend ft^/%rf^# 3 t "^ u ff n -. f 1 * ; pe^t y Power up. or resetting 
of the management station 150. 

. -;}.-* , a r-„ :v r.u ®:d>J ;rq>--T:x ■::.f-:'r.:u 



m &ft ^Wlajy,, probe . information /da ta . table ,169 
cr c e ^^jf^.f«nprx 150 via" executipn^of "the ' * " , 
. FPHt^is, illustrated .in^Fig.; 4B., ? sach 

det ^|_^?5.?*>?, P.?: 137. .147 'i^i^ntlfied f in_ t^*7 " 

coiiecting network traffic 'data.' .Note7 that the 
table 169 includes temporary data ^table^ storage" space 
used for storing data tables used as " P art^ of the format 
conversion^ operations discussed below. . Note also that 
reprieved alMatrixTopN fables * and "nlM|trixTopN tables. 
ne t < ? ^ stored'for ^s.e in silbse(^ent"'t^ 
conversion"operations ^ since th^se^t^les '^are ' retrieved 
f r °"? ^ he y*^. ■ I?. «?e "lesijred jdelta' count f ormat v ~ '][ 
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probe wfiich* was just Initialized 1 , operation proceeds to 
step 322', " * * ' -~^*'''- - J " *; 



If in step 306, " it is deterifdneia* that the 
5 probe being initialized does not support alMatrix 

tables, a network layer table must be selected for use. 
In such a case, operation proceeds from step 306 to 
step 32'4 wherein the management station "150 signals the 
probe being ini t'iaTizecl to create ari nlMatrixTopN 
10 table r " J k ^ ^ .u.^-.^. 

In step 326, a determination is made as to 
whether"'or not 'creation of tlie* nlMatrixTopN table was 
successful. 



15 



O" 



l * If , in step 526, it* is determined that 
nlMatrixTopN table creation was successful, e.g., by 
monitoring for a signal from the probe being 

' d ; ±nItiaiiziSi ' b^fera'tibii proceeds f ' to" itep 338 . In 

20 step 328, probe" inf oHnatloh in' memory is updated to 

. j ■ ^ ;» r i ^ ;" v 3 ~; * ~- : * ' • ' r i. - - * o c * ~ i a* z. 1.2 's x - .'.t .* 

" include ah *OTt:ry 'oh^ the prbbe^bising initialized and to 

indicate" thaE thV * probe ' s data is in nlMatrixTopN. 

format . Wxth the successful updating of memory in 

step 328 to reflect the. presence and data table format 

25 of the J detected^probe ' which was" just initialized, . 



operation "proceeds to step' 322. 

z. " ' * z\c~ •* x> "i „. ^ z J r"* 



If, in step 326, it is determined that, all 
Mode nlMatrixTopN table creation "was unsuccessful, 
30 6pera€i6ri^pfocee&6"to"st€^ 330. " in step 330, probe 

inf ormatiori in memory is updated to include an .entry 
the probe being initialized and to indicate that the 
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.• ***** ^<*:5M<#>»t initialized, operation; proceeds to 
step 322. , 



- z *i f n ' step, 310 it was determined that 

terminal ,altfatrixTppN table creation -was unsuccessful , 
operation proceeds to. step 314 instead of 312. in,', 
step 314., the.management - system 150, signals the. probe 
being initialized to create an alMatrixTopN, table using 
all count mode (as opposed to terminal count mode) 
cpunting. ..... 

T. :€ f '_: ¥*. step 31.6,, ^t^fceripijied, -fefrftt, stfcl 
count ^ode -alMatrixTopN table^creaj^^^s-^su^s^ , 
J°& iMitorii^g .ipx^ , sigpal^frpm. *hej prpbe,.beimg 
t^.^i^^ d -_-op^r?tie^ cPcqcjse^j^Q^sfcepj^iyi.-o:. iji \ d 
step 318, probe information in meiijory upda ted- t«t •< 
include an entry on the probe being initialized and to 
ind ^S at J^ ^t, the. probe's .data- is- in. alMa L trixTopN(all 
- ^^^m*^- .^t. , v With : . the^sus^s^l, updat.ing : ;of 

mem W#3tsp _3«. to, reflect the: presence and : .da.t:a- 
^^ bl ^^°P ft ft : .of the detected : probe. ^ch^v^ ; just ;; , ; 
initialized, operajti^ : pro<i_ee<te c _fco..s 1 ^ 332.. * : 

-A!i = :-:< J-^ 4 -'f n , s ;teP :3^,,, it is determined, that all . 
M °£ e al ? atr ^ x, F 0 PN table. ..creation., was^unsuccessful - ■ . • 
° P ^}? n proceeds tp . step 320. step" 320, probe . - 

informal on in memory, is updated- to. include -an I entry, on 
the probe being initialized and to -indicate that the 
Pr °^' s data - £ S in alMatr^foHnat.' • Iwitfa'^eC^ - 
SU ^ e ?f fui . gating of memory, in .step 320 ^reVlect - 
the : presence and data table format "of .the ."detected , - 
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determining what', if any format conversi'ons ile'ed to be 
performed on data obtained from the probe. * 

■J" • < Fo± each-detected probe 127, 137, 147 the 
5 initialization process - proceeds through* steps 306 

through 322. The pfath taken - through these steps 
determines which "table -format will be used" with the 
/identified • probe . r , " ' : 

10 In step 306 a determination is made 1 'as "to " 

whether or not the probe being initialized supports 
application l r ayer- tables, ±?e., if the probe has 
^lMatr-ix f: cax5abi^ embodiment*, : alMatrix 

support * ;, "-i-'S" deterrfeLhed by : <^e^irig "a prob^Capabiliti^s i & 

15 ob j ect : suppbi: t%d' by the 1 ^der€efc t ed probes' and %on±tidriiig ; 

the" pJrbbe ' s ; r%sponsel J - r ' *■ : - :i - 1 - v " *^ ' v 

.; \ ; ;' * l':zt^ihp s-fcep^ 30i5 f xt ig- -d^t^efmi : hei3 : : ' that ^tife''*' 1 *'- 

- -probe" ^ Support v operation proceeds" to,* 
20 st^p^ 3G8V r? l lh r: %t%'^'3^8', -tlie- srtaiiag^ement station 150 " 

signals" tine* prbSeK to- credtW air : alMatrixTo£>N * taiblV using 
terminal rnodte eduntihgr^ ; " If : , : in : step* 310 , it is 
determined, e.g., by receipt of a signal from the 
probe i tliat" cf eatidfi of the desired" alMatrixTopN table 
25 was successful-;^ ojpe^atlon proceeds t r o i_ step 312 1 in 

step 312 , prob^ ' Information 'in" memoi^ ' is"" updated to"* 

- include ~'kn' entry -on -'thie probe being 'initialized and* to 
indicate - that 1 t'hS probe ' s data " is" in 

alMatrixTopNiTer^ Mode)' format . Witft the 

30 suet ds&£ ul r u£>datfhg "of memory in step 312 ' to reflect ~ 

the -presence r arid -data table format " 6f the detected" 
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b ^ ffe ^ n ? .9.i:5 -grieved data -table for .the. duration of 
the data measurement interval thereby requiring mor : e 
memory than is required to put the alMatrixTopN table 
in the common ..data format. . . „ 

' : ■ 5 . • I<^!i€ica£iQjn of the probes which are 
^ 0 ^ pled -: t0 ; ^ he - m anasement system 150, _,the data tables 
f^;^^' , 3 ^ tfce .selection, pt the data table to be 
used with^ea^hjEsrobe. occur, during, execution, by 

CPU ia 1 ": 5 f '. Af r a P^a^sraenJt sta.t ion- initialization , 

routine 300. The . routine 3-00 is. one. .. p^. the 
initialization routines included* in memory segment 171. 

, :;/,-. . 0pe - atic ? n : pf t : he ; managemeat station 1.50, of , 
the present invention will now he. discussed .with., regard 
to the initialization routine 300 shown in Fig. 4A. 
^^^QN- 1 ?^^; -3^.0 r is. per formed by the 

a mana .?^ ne : n E sf^ipp, e^g> , when^he., s^atj-on-is power,ed 
up ° 5? S :^ • ~!P*?* ^Jiffi^lffatipn.. routine -.3 00 "begins "in 
S^H 3 -?2 .fniJtiali.zatiori r routines , 17 l^is . • 

executed by . the , CPU, 15_4.. 



detects the probes l£7. , . ji?.." ,147~ whi^are^coupled to 

- t ? m : * 5 9;-c ^? ^ te .?|f on ? °f = £&g probes may ~be 
d °"?.'c: a ?. J P own ^i 1 .; -f?t'., by ..transmitt,i4g^a -Signal. . 
querying for a response from probes which. are present. 

/- tjs.i:- . !V° nce a P^? be . is ^detected,. ; the initialization 
; rou tine determines the network traffic table .format 

^•^5-7 i " f ? 1 ??^? 1 ? in - memor y ,f?r future ,,u§e, ,<?..]g.*,,. in 
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does not Support one of thei three 'possible application 
lay^r tables / ' - ■ •> ■ , ' i! '' J " tf;r ' ~ 

To minimize the amount of 'data 1 processing 
required to put a probe's network traffic data into the 
common" format used by ~the management "sy stein 150, 
net work 'data is obtained from a probe rising one of the 
: available table' fonftats with the* format utilized being 
selected in ■ 'trie following order of preference:"" 
alMatrixTbpN*(Termin'al : kode) % alMatrixTopltf ( AllMode) \ * " 
alMatrix, iil^a : t±:i^¥opN arid nlkatrix. : * ' " 

As discussed above, an alMatrixTopN (Terminal 
Mo'deV' table* his thfe ! "advantage of retiring' no format 
- conversion" opera ti^rxs 7 : i '" c J " ; ~ l ... j. 

■' : ' 1 Ther alMatrixTopN (AliM<£dfe T tki>ier r^^uires a" 
single - *cohversibh a opeiratibn , i L . e . , £ air. all"" couht"' ^mbde r to;: 
teihioxrial counlr : mode 1 conversion'* ojpe'ratibn , *to' f>iace it 
in^the co^orr J *f^ Cbhnt to " delta 
count conversion operations, a:r Will' bfe discussed" 
below, terminal count conversion operations can be 
performed* : withdut' : the-' iieied to" use" the previously 
feceiVed c da£^tSbi'e. v Accordingly, " ' 3 
alMatrixTopkXAllMSdey * tablfes 7 b&ri i>e~ converted" the 
common f ofm^t " With' 'a^minirtum' of processing ~an<3 memory 
retirements 1 . u ,; *" - — - * - 

. .. - TKe illiatrix table is" less desirable than the 
other appii cation layer* tables because it requires two 
conversion Operations to place it in the common format. 
Furthermore / '6'fle " o'f ' the conversion opera ti oris requires 
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■^ny^±pg^ f t w ^ traffic data. ; into a. consistent 

fc f^t : ^ ^ ; ^ly : ^ag^, processing' components and 
' mpd ^rf5' e :: g - , Parallel data'.set generation r . v 

routines j§6 ^^process^ng/fiXt.eriJBg/di^play^ < t '. 
... r ° Ut ^ ne? o 16 fi. .^.^.isola.ted^rae the complexities 

associated^w^h varying .network traffic data formats. 

encountered £rpm, probe . to -probe."! „~. 

rCX ^ nven .% < ? r : s <£ f : the ^cesent .application .. 

recognized that, for most purposes, what is of interest 

is -£ e 4uri^g : \'^c\tif £ime interval 

In^^V:^!,:^ 0 ^ *PSHRfc .^^S^^r^ f rj^rn, the 
time a probe is turned on. Accordingly, in determining 
the common format into which network traffic data 
should be placed, it was decided that a delta counting, 
as opposed to absolute counting, technic^e f.hould be 
used. m addition, it was decided that," 'fo^.ma.ximum 
flexibility, it was useful to obtain as^much^detail 
about network traffic as possible. Acc^dingly, ! it was 
decided that the common data format should include 
*i P M??-&?\M*??~ FF?& c ?k'&S°*m*Z<& '.ifhen available . 

opposed tp all count mode. 

9.-.J ,:!0^;i:^. s:i3 rfj iw 9:;:st :c :: ; : .- 



: v "J n *5 1 



r.-X-;t.c Un ,?? rtunatelv * the .. paly ^Q^Utafele" which . V 
Sat ^f| e fr:l he , a c X ?Y e , discussed. ^iteripn^sel^cted * or a 
common^da^ f prma$ is c the .alMatrixTo^^t^r^^l. .coixt 
.:"5i*J± 0 Because. n iMatrix. and nlltotrixTopN "tables 

, .^ c ^ de network . layer traffic! ^ta^Vthe.se '.two! ." 

tab n? S " -f e ^^^ered'; the least Vseful !and are ^ot used 
unle S s^the^probe^from,which^the;d^ obtained 
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of RM0N2 / (the ability to turn" of f * &ie Monitoring of 
protocols ) s y arid mteans'that ari^' pure*' i'P7UDP packets ' 
would not; 'lie So'untedi: ' Thus, ^a : "couiit of any jpure IP/UDP 
packets on ~*the network segment 26 would not be supplied 
by the probe to the management station 150 on retrieval 
of the network - traffic data "f f oift *the probe' 127.' 
However, child protocols df IP/UDP ( such as " 
IP/UDP/SNMP) would continue to be counted and supplied 
to the* rrknagemeiitr "station 150 "firdih^the probe 127. 



fc -;-i:.-r ^ ^^/u^ the 
prober we? c&rr dfe'sc^itoW'^i^. trSe lisirig^ the ' following 
1 format:^ ~' * 



15 - - -IP - r 

^--IP/'I^-- ~ -.r-^t 



r 



- :u : v ' - fti-^di'S cui sSdf afebvfr; ; networks * may incYu<3e r a' 

Variety ; of :: £2ob£s I57; fr '137^ 147V wi'fcfe differing "'^ 

capabilities"" arid" d'irf ering "network" data table formats. 

In accordance with the present 'invention, the 
25 management station 150 collects and processes network 

traffic ds^a^froft"^ 127, 137 \~ t$T included in 

the ; *ne twoifk 7* ~ In " 6 tdef- " to " s imp! i'ty " subsequent data 
^rbcegiiiitr 1 r '6pera txoris , the network traf'fi c data 



'xec^ived 'fifoitTthe probes "is processed to place it in a 
30 consistent' ! "format " that can be 1 used " to ' support queries , 

- storage/ diid : cii splaying of network * traffic data in a 
f brirtSt that ils " "easy process ~arid understand / By 
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the ;i nt ?m^ ( ?9:r. The hierarchy illustrated in Fig. 3 
^ 1 -: be ^ S fW n th <? discussion . ; which -follows to . 
illuS ^ t l^^ s -,R°ifts, i^qte that,.. -while, a, 
Pr< ?® . 12 fr 13 t?/: -^ 7 ; Jt&Y support- many. thousands: of H . 
protocols^ .only thps : e p f ptocols which, liave been: seen 
,, for ? t ^^ conversation, = will ..be .stored- in the 
[ ^^^ ^^ .supported by the,- probe and thus 

I^H-. 0 ? 1 * ? r ££9£? ls ^ i oh, J iay c be3r^trieved,.by 
the management station 150 from- the, probe , for that-- " 
conversation. 

, r . cv '. . ?|Ut*f ^?^?'i d j^^c-^ e -^5^9 < 5«!i I '-:S -.shorn 
&»???: So (Jnterngt; Protocol J. 0 .TOE |Us er ^Datagram 

r^^ff?^ ^^PleiNe^ork ^mage^ei^Psotocbl );. 
T £*^ ( T^smissiQn Control., Pro ^toCQl}.^:: C FTP.-^ile. Traii&f er 
Protocol ) ; ^and r ^^ 

; ^9^fe#S>es,.re:f;^^ -traffic) . 



1; 



The tree 100 has been divided into two 

^l3^^ic^e-c^i*ytojck-^yre^ pxbtdcolfcrS.o^' artS? the 
;:. _ a BR%icat-iqn-lay.er:.protdGois .3:050 = TM^rd^sadh* will: be 
c*a*er-, Samples, ^zb<z 2 r.±z~BQ&i ao:;3:.;-jf bru, 
nr - c:j ? ;nt7cT- r:.- u-JC 1 srir £-•:•».• s~ 3 -.Tiro 3-£>?> 

: -ti^-r- -{^.MTherCQnvers^tionlfor «*4ch9 ;felie5%ree has-been 
9 en e?ated, Is ja. conyfe.rsati.on between-stwostfe^ices^g^ 

ce ^ters A 3 a^d B^21 tr 22^ousin g .; thealFrnbtworK-iayer:'- 
protocol . 

. -i 'ic-. » . . •» rrs-cr :* -q <s."s«.;: 1 s» ». «. 2_ 

:. c The. IP/UDP^rQtoeQl isJsh6wn -rnia dotted box 
this.is, to. represent- that while : the .-ClPAJDp/SNKp-.s .:. . 
packets ? were- monitqredsby.t^e prbbeal-27 tner:probe:-127 
^ ad -: the , Ip /Ur>P.P?otoqql turned of f r 3 ,Tb.is:cis ta feature 
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■ : -The Routines ,* stored - in th£ imemdSfy ' 162 , " 

include ini't-i : ali2at±bri : routines 171, ^datS'* collection 
and converslbn ^'ou tines 164; parallel data set 
generation- routines 166 , arid pi'bceVsing '/ 'filtering / 
display' routines l r 68. £ - The vari : bu£ rout iheis "ma;y be * 
implemented afe computer programs . Ift : "addition "to" "the . 
routines 171V T6&, l&e 1 , 168J ' thei' ln*embry : 'i 
profee information and ciata * tables 1 received 'from "the 
probes 127, '137 'and-' 147*; " 1 \ :: ' z - ' /'""^ " ' Jl * 



The memory 162 may also include a buffer 173 
for te^6rari : 3iy~£t^ converted to the 

common^f dritialS ~o£' : t&6 present "invention . l * fc 'The collected 
pSrobe:dat*a 'Stored-in the v Mf f^ir 173 is" ^"jbt*oce^^4d"by ^thei 
15 - % CJ?a 1 5 4* Sunder* -tfontrc>l f ' -routines "l 64 y " : 3: 6 § "y ; ' 8 J attd " 

c stored in .a .^network traff ic :d^f t>"fmatir©n - da tabas - ° " 5 
. located { ony:/th^>istOr;age^ device ^15:8 &&-^tttlz'-tb&-6&s^s^& 
below. 

20 : ; j ■* ^he^ l<£0yboard . ;1 5 6v can: ;be usiad f or - &hp\££t ing 

, . queri es : . r^ga£di^;g.i ;ne tvtork tiraf ± ice inf oirmat l&vtf- »' Charts 
and statistics regarding network> traf fac -inform tix«i ; 
are generated by the CPU 154 in response to such 
-queries u^ingeithelvdata included: inP'-tJMF network traffic 
25 database^ : *!Theo charts^ and statistics- are di splayed '-on 

- the >. ( displays devices 152r ahd/or~ printed ai~ printer" 170 
coupled to the management station 150. "-" c: - : ^ 

_ • :>t Figure -3:: illustrates ^ exemplary protocol 
30 hierarchy* in-:the \f ormibf a "tree" 3 01 which may : bi n " 

rjetr:ieved^from ''driei of ~the~probe6^127 , ^137; * l^^for'i 
moni.tdred cconvefsation between -£wb : devices included 1 in 
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■Q^cc&rdance with the- present invention^ 
each - ^-ithe. ^0^. ^2.7., 137,. ,147 Is coupled to a. 
management: station 150 which • also;, forms part of the 
intranet £00... The- management, station 150 includes ; a 
display device 152, one. or more- central -processing - 
units (CPUs) 154, 155, a keyboard 156, a mass storage 
de ^ ice .158, for, storing, e.g.,. a data^base, and 
memory ; 1 62. wb4ch are coupled- together , by %; bus. 163. 
The mass storage device 158 may_be 0 . e :g.'. ^ disk drive 
or array of drives. In the embodiment illustrated in 
Ml^z 2 '. cp Us 154, 155 capable ;J of ^ger-ating in 

parallel are .-shown. .However, in many, .embodiments , a 
single, CPU ^54 is used, on a, time, sfa^ed^asis,, e,^, to 
•^ f S?3 database .generation maintenance; operations . 



:~/ Th ^£ bu 5,^63 couples the ^isqussjsd mariagement 
station ^cpm^Qnents^ tq, an .input/output . 3 (1/Q> ■ o • •; -jr r 
±J z^B¥9^.^ «t»*-tfc qpnnec-t ,th^.managemen^ statipn' 
- - a r^ A^3 g^ne^ts..tp. c «ie first, throj^h. third-, 
pr< &S? ^W*** 147^ eF he ^/o :^rfa^qe~ 16Qc 

f??Pg&£]&? ^^^ erfa JP L inff between ti*e various devices 
.coupled thereto. 

* -- ■"• ■■ ' '" . re-:-. d.: 3 .^-: j- .:.Dd^ 

nj.r.v ;. • \Cs»vi:r. uqas- ,fc sieve * ^sr -• 

. :::£ \.:.? ne P r .bo^^f, the,jpa^^ej^t^.§tatton ' s « s 

5~? U : f J" 55 can .^f. ^fd .tp: control. the operation of 

the management station 150 as - a, function, of " various 
routines stored in the memory 162." "The use of one or 
V? t ^.= ? f ^ he , CPUs, ; in controlling the operation of the 
management station JJ50, depends on theJimplemented , 
° Pera ^ in r g systert Vr. p or exemp^ary^purposes lit .will, "be 
assumed thaj only, CP^1 ? 4 ,is used^to control operation 
of the management station 150 
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link, : e . g. \ an ' Ethertiet , 26, 36 , - 46 r Respectively. The 
first LAN- 12-0 ' is coupled to the > -secbri3 / 'iiAN''13 f 0 via 1 a 
first router 17 which* couples data ^1 inks 26/ 36 
together. c - The first LAN 120 is also coupled to the 
third LAN' l f 40 via a second router 18. ' " 

The second LAN 130 is coupled to the thitd 
LAN 13 0 via a' : third 'router 19 which couples data " ? 
links- 36 afnd 4 6 'together. : ' "** 



: lMks "26 : ;' ;! 36 ind 46 are' network segments 
within— the ^ntraiiet/ 2*00 : :3 In ibrder to "obtain" ~ 
in-fbxiTiatlbiv^on^^fici'I 6f ?J: the network segments 26, 367 46 
^&lrob^T27v'-I37v-W7 : axe 4 included in 9 e^ch bf firsts 
15 through third LANs, respectively. Each probe is 

* coupled 1 to the 'd^ ''link,' ^evg?, 'Etiheiniet;^ which is 
included iri : 'the IrAN ; in which the probe iresiides 
Because^ th^ :i 'r : *i^r^'t- px c c>i>e 127~ cbu£l T ed to *tfrW ~f irst 
Ethernet "> 26-^^ caif^collec't mfb±mtZ±6ri'''&ofc€ traffic on 
20 the netivoirV se^^t ilf 2-B "simiiar'Iy/' the ^second ^aSik' 

- third probes^ 13^ -T^T^ire ^abireT to collect "i~nf o'rrnacioh 
about traffic on the network segments 3*6/ '46"', "tb" which 
they are coupled, respectively. In accordance with one 
embodiment of ^ the probes 127, 

25 137 , : 14?~ cbllect and : stor4 ft£twoi*k traffic data in" one 

or -ihore^RiMO^^'t^l^s^ (MIBs)\ : " - 1 ' 

v T The *p£o£es 127V 137, 147 "may* include memory, 
a processor an^I/O : intferf ace device and' a mass storage 
30 device, 'such c a§ w a r d2sk drive. In onfe embodiment, 

probed 127/ "13* 7 V 147" : are implemented' u^ing " known 
network traffic data prbbes. 



i 
i 
t 
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: • : r. 9 .illustr.at.es. a lie twork traffic 

database ; iQ9l^4i^g parallel <Jat^ .se ; ts having an . hourly 
and 6-hour ly resolution. 

5 Figyixe 10 is a flow chart illustrating a 

network traffic database including parallel seps. of 
network .traffic information stored a.t different "L~ 
resolutions . 

10 DETAILED DESCRIPTION , " 



25 



30 



As discussed above, the present invention 
y tp "? et : h M d f an d , apparatus which can be used 

C °^ & c^ Prp^ess^fca/, e^gj regarding 

15 traffic in a. computer network, or intranet, lltTis also 

directed to methods of presenting network traffic data 
in % f ?T^t can be. easily under ftqgQJv a person, 
•£<■• r an ^ nd fef* dua ^ : [ responsible . for .. managing #ie . , .. . : 



Referring now to Fig. 2, there is illustrated 
f n ;;?} n -^ ane?: , 2 00 , ■ i«"Plfin«ated in accordance . r wi th one 
^^i^t ;of ~ t^^prijen^ ^inv^^n^^v&'ip^s. el.eiRe.nts 
of the .intra^et^ 200 ...whici^ are . the/ ; same a^ t "oVlsimilar 
to, the known intranet 10," are identified "using the 
sam< ! reference numerals used in Fig. 1. 

r r . : , :% :^ ixjs ^ r ; a ^ ed ', the : Antranet .200 cpimprises. 
f lrSt , t i hr ° U911 : ^ h£ird ".120/. 1.30'" .140 "each of, which 

includes a plurality of computers (21," 22,' 23)' {31, 32, 
33) (41, 42, 43). respectively. The computers within 
each LAN 120, 130, 140 are coupled together by a data 
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" * * ''Figure 4A : is"a fldw chart ~ of '"a management 
* • system initialization routine inpldmehte'd "in " accordance 
with the present invention. 

5 " Figure 4B' is an' exemplary probe 

information /data table created' by executing the 
initiai'iz^atidn rbutirie illustrated in FigY~*4A." 

Figure 5 is a diagram showing the processing 
10 of network conversation data in accordance with one 

exemplary embodiment of the present invention. 

'~ £ ~ 4 fcisrure^63i illustrates a method of collecting 
* : " network t£af f ic T - d&ta" f ±*6m c pirobes and converting "tAe , ; $ 
15 : ' : c6liectfed data^in'tb k coinmoh data' f orrnat! ^. 



25 



Fi^te^iSB^illustiratiBs the conversion of 



various BM0N£ n cL&tS" taBies ihtb 3 the 1 common * data format 
used in Accordance 
20 present invention. 



used in accor<Shce'"with various erhbodiments of the 



Figiife 7 is a "blbck diagram' illustrating/ the 
g^heirWtfori ' of "a network traffic database including 
paralTel *s€>tfs 6"f ^ata^of ' differing resolutions 

Figure 8 ~is a flow chart ^illustrating a 
method of the present invention for generating a 
network traffic "database including sets of 

network traf f ic '"stored at *di£f erent resolutions. 
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J>? a : ^^jSEP^M S P* environment since each data set can 
be f^iA-tain^ .and .updated independently. 



In the databases of the present invention, 
. d f t ?*^ se - records at. the different resolutions 
. -°^f rla P; CO ;T er * n 9 r the same, time period." This makes .it 
T& c. easy for a system administrator to review 
database^ records^ corresponding to , the same time ' period 
at different resolutions. This can facilitate a. system 
administrator's attempts to identify network traffic 
S PTPb^eros and/pr^. trends^ without ; . the need, to. perform 
complicated processing when, comparing or switching 
.. b f ? ween ., data at different , resolutions J 

tr.s ? n *$$i'$jr? n ? ,£ he . abpya described features , 
fffy £ ther ; - Azures : a P d fmbpdimen^ ,of . the present 
invention, are described in , detail below! .." [ 



, 3RIEF . DESCRIPTION OF THE D RAWINGS 

•" • 1 " - ' - • r ~ — ■ = .... . .--r-3-r—;,-r : 

:--.;'.i£:."..'.^V;S jj-,,t_.. --,.. f; ,.. v ~~ 

rlri iv ;i^^..^i' S a block diagram of a Jcnqwn 
intranet arrangement. ~ 

... 2c s ^ df jf ure ; .^. / s a .block .diagram of _an intranet 
c ^eluding . a^ management system ^ im^lerneiited in accordance 
/:; ^|^ h t -? ne . e ^odiment pf the present, invention . " '' \" ' " 

o;j s-o.-i:: F^F^r^ ^i s - a ^ a 5 ram of a pro tocol hierarchy 
used in various examples discussed/herein. 
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"~ Once network traffic dataf Is" collected and 

placed in a common' format, it is ready for' use f in 
generating displays and/or network traffic databases. 

Iri one particular embodiment of the present 
invention, the network traffic data/ in' the common data 
format, is st bred* in a network traffic database' to' 
allow for futiir4 analysis such as baSelihirigr and' 
troubleshooting^ " '"' " 



" ^ 
by the system of '^tfie' 'present^ by* creating and * 
maintaining a database' that includes multiple parallel 
sets of network traffic data at different resolutions.; 

15 ^iri^hd^ordinc^with the J d&tikbase generation and j| 
ma iht ^xiance % 'routine^ of "the present' ihveilti6ii : r a data | 
set for each * Si f t er 4ht Resolution is Stbrfed inr 
first-in, first-out (FIFO) data structure. The oldest 
records in the FIFO^ata structure- -aire' bvewritfc^ 1 ^her 

20 there is no longer any unused storage space available,, 

for stojring the '"records* 1 of " th4 resolution to which the 
data structure corresponds. 



" Because tlie network' traffic database of the 
25 present invention is not ageci, the periodic^ processor 

loading associated with" ^gihg of databases is avoided. 
In addition, the need to double buffer the database 
data 'during* ari aging process is" eliminated since no 
aging is performed. 



The parallel database routines of -the present 
invention also have the advantage of being well suited 
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invention fflfffil?JOp*wtt ."traffic data probes to,, 
proyide..da£a jn . .a f prjnat -. that is ,as close to , the , 
de ; ir f d -?9rrna.t as .possible,- r g4.ven .an individual probe's 
capabilities,., . 



.^specijEic ^.einbodiinent. of the present, 
invention is directed to the use of RMON2 probes and 
RMON2 -data .^tables ., ... . 



■z • v c? .c?*rRP e -erobodi^nent, £ t.p.- minimize ...the 

' d ^ a : .PXOQ^ssing^ required put. a probe ' s i; 
network traffic data into the common format, used by. a 
management system of the present invention, and to 
r. fjgig£*t-J** i*B Q V?P M ^ip^Pio^ppl^ected, network 
data i ^;:°|^ t r a |- n ^ 53 j fr ? m PF^ be - ^ sin ?--i? ne ^P f - 

t: ^^.^r^^J^^^^'i^N?., formates r se}ect,ed,in„.the 
Mii^ n % Pf«rfej^ic^ : f lMatr4^TopN,(Terminal 

20 and nlMatrix.. , 



JSx^sfc. ? J . ffS? ?}^%i^°?¥. { ? e ?^*} a l M * de> data tables 
r z at kii¥r.crs~i f re remen£s yis ed . in r the present , 

PPf^ tion.tp^b?...p^r£prmed. . In addition BMON2 
al ?f J^SffJ | e | Tnina i -» Mode ) data tables _ include both 
appl |fcrn io ?v M yer - netw 9rk layer ..data I... ~For tlie^se, 
reasons, the RM0N2 alMatrixTopN (Terminal Mode) data 

c^fSfoffc;*^? ^.ft.. erred pf the RMON2 tables in the 

.. al>o y? d 5- s <?ussed embodiment . . 
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assocxated with collecting arid" p'rdC^s^ing network'" 
traffic "'data"/ As "discussed above, ' z oii& df"the~ major 
problems encountered with collecting £&d~p£obkssirig 
network traffic data is the numerous dif fereiit counting 
5 techniques and data table storage formats that may be 

used" by Various ptobe^ : itt the samei sy'stein. 

In order to provide a hx£h degree of 'detailed 
information for subsequent applications, attempts are 
10 inade by* th^'metlib'd of ^the* 1 ^ires^rit invention to collect 

appiicktron -layfeir 'trkf f ie dkta 'a : s well a : s network layer 
£ traffic J data; :!; rrc '^ or cj : "' ' l ' : '-- v;7ea 



' ~ To' reduce ' prbblfefris*' due to ^dif f 6 rent 1 " counting;' 
15 technicjinBs " krid data 3 fcabl4l J f ortnatis", ~ th^' present' ~" - ■<,„ 

~ invent ion :: |>rbceS^es*" collWct^d' xfeifwbrle' 't:^af f ife^'iiaia€a # " as 
• A f equir^d-; :: ' to 3 plkee^ f t :: lht6 -^ccm&ii-'tik&it f bririkt^ ' TFhe 
cdmmon ^ dkta'fSl^^i^ &^lect c ed s tb p^o^idd? a^ftaxtn^' 
<3egr£e :: 6f thkfe^ i~s : easy' to" use, ; 

20 e.g., by database generation and graphing^ application, a, 

"* J ' L -" : - FrOiti abuser" Strndpoint"*, it was' determined 
tlia 1 7 ~ in leas £~ ohe' ; ein^bdimeht " at" the v invention, " *1 1 
was desirabli tlikfc r the cbmmdn" dat'k" f ormat" include delta 
25 count val'iife& as ^opposed " to absolute 1 count" values" and 

that application" layer *' information be presented" Iii 
tfef&LnSl ^couiit: "mode "as opposed to" all "count" "mode . 

" " ' ^ In *or^er "t^ reduce ~ the "kmbufit o'f" processing 
30 required to put the data in the" desired" common iormat/ 

and the temporary data storage requirements associated 
with such processing, the system of the present 
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and ?:ls r ^£gi§f£#!?S k data be compatible with. 

ex f ? ^^? p ^ be ; ,: d ft a ..formats. It is, also desirable that 
the new methods and apparatus be capable of being used 
with, or adapted to being used with, probe data formats 
. . { . tha t .mav; ^ supported, in _the future,. , . 

,,. r: . . .... z Xn .particular,, it is desirable that that., at 

. I . east , s /W^ n ®w methods and apparatus be capable of . 

!V ~" or ^\?-? .with network traffic data in a plurality of. 

., Jr^&fT and cowt -formats including various RM0N2 tables. 
1 1 : a 1 s ° H es 4^able . tha t .any . such method and/or . 
- a ^ Jp *"l" s ? n 3- rec^uire.a specific one of, the RM0N2 
s a S i s*c t r < 2^.c U ^ e< ! ^3 5 probe which wpuid. result*, in a 
C °"^ t "A" t ^^0112 probe, selection and, probe' resource 
re^ir^e^nts^. ^ , ' ^ ' ~ '•" ~ ' " ' " ' " "' 

In view of the .aboves, it is^ apparent^ that 
there remains considerable room for improvement in how 
: "flSfrlocl^ -^1* - is - cp.l^ecJted v adored., processed 
aiid presented to network administrators, and other 

i ^ i ^ i J^ al 1 ^ s ?? 1 ^?^ 1 ^ ^ ^he J* e M«j?^ maintenance "and 
HPR rac ?ipaL -of networks and injtranets. 



- + SUMMARY OF TOE PRESENT INVENTION 

firs w., ri . , L^"^"* "\' <-^*~<; -~>-t ^ -- - 

?sr£-.* ;:z :zf r ? e to methods 

f^Pf r ^ us 4 f°r qoU^qting^ ^*rd^g^ processing and 

HWR «;-.ST . , network "traffic data^ in computer ° 
networks. " ....... - 

r s .. ev ^ al .en^pdiments of the present invention 
, a - re , d , i ^ re 55 eci . y° dealing with the diff iculties 
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in a' nia'rmef that allows for easy cbi^arison arid 
present atiori 'of traffic data monitored "6^ Various 
network segments . 



In addition, there is a heed for methods and 
apparatus which are capable of limiting the growth of 
databases , e.g. , ri^twdrk traffic database's , over time. 
It is desirable that the methods afid apparatus " allow 
for accurate access to the database at all" times/ once 
it is created." * "it "is ^also" desirable that the database 
methods" hot' retire "double buffering of the data 
included in tlie "database to support 'sucH access. In 
addition^ if data "sets of different resolutions are 
included In 1 the 5 database/ ±€ is* desirable "that 'the " . 
lower resolution data sets incorporate the irif ormation T * 
found in the higher resolution data sets and overlap t 
for at" least' some period of time, 

" Data from different probes corresponding to a 
particular %i^ J ^x£^d'My no€lie received ipreclseiy at 
the same time oy a monitoring device, e.g., due to 
network transmission "delays; etc.' Accordingly , it is 
also desirable that methods and apparatus for receiving 
and storing network -traffic*^ 

compensating for such delays so that received network 
traffic"' data" is" stored' and presented in a manner that 
"accurately"' reflect the traffic in "the time* period that 
was monitored* and not the time at which the traffic 
data was received by the monitoring station. 

T ' " in addition to the '"'ateoye features, it^ is 
desirable that new methods of collecting, processing 
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that.acGessijig: the . data during aging, .will , still, give 
t* 1 ® .correct yresults^ Given that the size, of the 
database to be aged can be quite substantial, double 
-..■ b \*f:? er i#sr presents obvious, hardware .disadvantages. 

. ? ?! ro ? n ^n : im5>len\ent;^tipn ^standpoint the known, aging 
: tP r ^ ce ?s r a \ so the disadvantage of placing 

si^ificanfc pejrio(iic : demands for^ processing -resources 
Vv^kat; ^an^ii^terfer^. e^g.^. slow or delay, .other 

P ro <^ss.ixi^ r tas3cs pje.^ f oxmed hy : a 3 management., station., 
-.while the agi^ig operation, is. being p«erfpxme^i. 

: . . The kpown data r aging;, process., a^esjftl ts- . in 

^V^ipie , non-over gapping, ^4 ta~ f ?e|^ e>f /differing 

resolutions corresppn^n^^ta. d^f f^r^t^.tiine., periods, 
; ; ^. r 9 I S'^f ^ u ? iai } stai^poi^t,, this, n^kes^. £.t- 4±fficuljt to. 
^Y^^^and <^iirpare data ,^ts: ,to.jd^te f at_ ^g., network 
..t^fcfi^^r^ th^ data setJ^^qrresppnd: to i 

apparent tbat; : therf. is a, need.fcar ziep : . an£, in^prpved 
methods and apparatus for collecting and handling 
: rxe;t^ork traffic data from probes*. ^ - - 

~:*1t. :;>r : In ^a^ticulax, .th>erft- jlsl a Z.PX h methods of 

c 9r ; Llect,ina ^etwo^- traffic data, ^^t^pininiize^ the, , 
number of different data formats and. data r tables which 
must be processed. In addition, there is a need for 
v^ w ^ thc * ds -. . and ^app^atus fox prp^es^sing .data received 
in ^f^^i^ST. ^fopiats Jtp. produce ^ ^databa^e of network 
traffic .,data which can easily be .access by. other \ 
?^:*f ^^A??. 8 : and(Qr_ preseinte^ j;p : a human adminis trator 
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requirements' for a ^Tianagement systrem stbri^g'-data' 
obtained frbm several 1 ' probes is mah^' c tiTOes -greater ; 

- : ' One khovm technique f or limiting - y tHe growth 
5 of a : network traf fib database is referred to as data 

aging . Data aging involves periodically : scanning the 
v: stored' data and, • 'during ' the sfcan,- data recdfds tHat are 
older than : certain preselected age* -limit?s : are ?' read and 
ge"t : combined; ^e\g;V r added together, to ^create ah 
10 additional : set" "of %a*ta- record's of lower 7 resoiutidri 1 than 

the records used to create the additional set. The 
records us : ed : tb^^cif^kt^ the ibwer resolution set of data 
records'* : ar^ database. 
WKeri this- tfcchnl^e : is : usedy 1 there are :: norrtiaily :: ^ - > 
15 multiple 1 ageP limrfeV ^sht" up", resulting- ari^^nultiplfe^data - 

' sets' 'corresponding' tb j: di:f fe'^^ 

p^er iocl6 : ." " lif ShrcfcP : a -systCTi;" the : olde T r""tlie ;dkt^- -reccJrds 
become, the lower the resolution of' thbse records will 
be. Hence less disk space is required to store records 
20 :: 6brr%sp : o^ longer in, 

the 3 'pa&F th¥'-'f i'Sc¥a per iod rr bf" time Vccufifetf . ' :: *sr..-;cic,- * 

Unf ortxmatel.y / v the '^bvm data ^a^grng : t'^chhique , 
has several disadvantages, both from an implementation 
25 staiidpbiiit" of a human system 

a<ii^ni^tratbir '^tt^inptii^ tb usfe thW ^stored network" 
traffic ^inforrrfetioh." 

v ' : Frbin ^ the"']2nown 
30 "s^t^m hks = the ^^tindt '* disadk^ntag^ of ^requiring " 

double' buf f ^^t^ bi the- da^ while ''thef aging process is 
: 1 ~* be ing ; *t>fef if 6rft¥dV 1 isi&h 'labufcie' "buffering is requited so 
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The- : Hurnerqus variations in data counting 
.methods ; ? and -monitored .protocol .layer information 
discussed above can cause network traffic data 
- collected, from probes to be difficult to compare, 
process and -display in a manner -jthat . can be easily 
understood by -a human. " ~ . r 

cPne solution to the problem of different data 
tables, being supported by different, probes -in a 
network, is to use only probes which provide data in 
jthe same format . Unf cprtunately:, - „this,,>approach tends to 
be costly and often involves replacing .exist ing r probes, 
adding new probesv. and/oj- using . . probes which at least 
in some locations,, <>j: .E>xpvi^.a .greater, data collection 
p^pability ^than req^uir-ed.-^^Thus^ fox cost reasons., . 
probe selection ;; r,arely - tends, to. b<a. a practical, solution 
to resolving problems resulting from a lack of 
consistency ainong prob^ dat^.,colleqJ:^9^.«iaypd storage 
techniques. .. , c ., , 

^. : ; b ^;,r r While .the recent addition pf J3M0N2 V support 
c £q^ including information- ^bout.. cJiilcL protocols in. at 
least r 3ome data tables,, greatly increases^ the level of 
detailed, information that ,qan_be, ; cpllected regarding 
.^ e ^ c * 3:rJc t r affic, it has : lea r d £p increases r in probe data 
storage, and . processing .requirements . As the volume, of 
.^^twork and intranet . activity, continues;, to increase., 
into the .Gigabytes /s.^c range, space required to store 
.^tailed., network .traffic information for t extended 
PArio4s. -of time can .become significant., .While the data 
storage requirements for a probe maintaining, network 
traffic data can be significant, the data storage 
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r 2v Once the timi^ interval is reached* then generate 
J a table- of the '€op-'N conversations ' seen in " the 
network-. This tab Ife "can then be retrieved : by the 
user (or client program) 1 and is held until the 
"next table- is generated; which : then replaces the 
current table . The ordering in -a MatrixTopN 
table may be either by the number of packets 
* seen /'or' by the number of bytes seen. 
3 . Go back to 7: step 1". * ■ : : 



JQ ..." w,... ........ - . . i w 

* * As ? kairixTopN ^ tables monitor the number ; 6f 
' packers ' : dtfd'" byte^'^seen- <5veir - : the specified tim£ v - K 
- inter v a 1\ with the % c I ountei : rs beirig : effectively^' reset* each 
time' a" new table' bf^ tKe tdp N -conversations is c : - 
15 geriericect, the count elrs genera ted by MatrixTopN "tSblesf , 

are ref^rtWd' : tb herein as' delta : 'C<3unt<ers: : 5 7 e ' L - ^ 

"" ^ — J v •^ec&tik'er 'ihtraiffet^'. arid' "the - networks -'-wKifcix 
comprise intranets are frequently implemented and" ; 
20 modified over a period of time, a plurality of ^ 

diffferWit; l p£^^ supporting diffef en t data 

~'£riaf f ic tal^lfe' formats/ will : freguehtly ; be ^encountered 
" iri' the same nelv^rk. in Sbme cases , : a "probe : may Have 
insiif iicieh^^^fessiii^ ; ^d tl dat a Storage resources' "to 
25 :> ' ^uppoart all? but l:he lefa^t: resource intensive ;, dat'a table 
* format, e . g .Y an' hlMatrix ; t<ab*e : r " 'Accordingly; ttfe T 
information iriciud^d "iri traffic data tables of "pirbbes 
"may vary" i ram probe to pr6be depending on the 
particular protocols" individual probe's 

30 1 available resources/ "and the MIBfcfrmat implemented by 
the Tndi vidua 1 probes^ * * * " 
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whet:1 ? e F, *r.$?&?° r h.: layex:- (?1 ) or application .layer, . fal ) 
table is being supported, the method of counting- data 
will vary depending on the supported table type. 

ac v ' >. 3: 3. The . f lMatr ^ i3 ^ and nlMafcrix -tables, monitor , 
conversations which occur in the network,_and. keep, 
count of the total number of bytes and packets seen for 
^^^-^^^gati 011 , ^ 0 ^ r e aoh monitored protocol since the 
turned on .^ I£.the p.rojbe, has been reset since 
ifc wa ?. turned.. on ^ tneng^he .counters ^qr;^ the, number of 
bytes, and packets. ,sef n. swace ? th^ a l%s£.. tj^e. th.e probe 
^tf? r & 8 *%: ^Thf se r kiljdjB .^c^PJ^er^^^.,^ referred .to 
fcj^-^ld?^ ^so.Iut^^oi^ter^.,^^ entries, in^al^fatr^ 
- j d and : nl^afer^jc t^ables fl are <^4^e^.py s^<^e^ Sr an^. t .. * 
protocol . . , , , ^ 



The alMatrixTopN and nlMatrixTopN tabJLe^-also 
monitor all conversations which occur in the network, 
and also, keep .jspugk ,0^. ^ y m^ m: ^b^^s and packets 
"iflS* l&P^&Gk *5=° nve F^at,i oxu , c : Howey L e?r t , 3 f bjere r; a_re.> several 
t^^®**^- j Ma,trix^op^±ables ; ^st^,be configuredoby 

<?} fM^*: . P WF^^ to 
S 1 . 3 ^® ^'£^™ 3m number^.qfj entries .Jfcnd^ t^me interval 

: w A^:r*£? £o *&> the ^PllcQ^^^e^-untiL the 
Matr - i ?? ,c> ^ N ta^le, ^s^oyefl, Jef £her ^.a.^request^ f rom 

? se 2k- 5 r -Client Pf 9>gram^ . or, by. .the, probe, being 
turned off) : . 

' ' "-o:tcs. 'ss vs L ?.■■<'■ z&rs. - 
1. Monitor the conversations in the network, 

: ... c ^ u ? i t ' Ln ^:= tne r ?a^ke.ts and, bytes r seen over the 
- .....specified .time interval. 



-6- 



*- Count' Mode)", alMatrix, nlMatrix and' nlMatrixTopN' 
'' : tables*. :: ~* ' : : ' f - ; - w ~~ " *" ~ 

Numerous distinctions exist between the 
5 various types 6f table's that: may x be supported by an 

KMON2 probe. ^ - ~ * ' : ' : * 1 * " " : ^ ^ ' " 

r ? Network^iayer (nlf tables ; * *e :g i ; nlMatri*, 

r and nlMatrixTopN tables , "count only ttJose protocols 
10 Which aire de T errted ~t : 6 be ' network- layer '^*p^ 

Network^ia^er p^otoc^ls "are theT prbtScols which "are 
' *' used : t<r prWife ' ttie e tr&isport-]:ayer Services' J as p'£r the 
weli'^lmovm 1 X f SCr OST T-layer protocol model, £h<2 include, 
for ex^lier siich 'protocols aV £ IP*; X IPX, DECNET; NetBEUI 
15 and NetBIOS among others. No child-protocols of thSi 

network-layer protocols are counted in network-layer 
^tafeles^ ^oTxi-v^'r: ;:r:~ ^^s^^i^ -r'.T 

sr f^:* ^pdtxc^xbh^i^yer 1 -(ali tables /"^.g^V^ 
20 c - - alM* trixTbp^ Mode 1 ) 3 ; alMa tr ixTopN ( Al'I ' 

- Couii tr MoSeO ; khd' -alrMa tr xxr t abi es r tount any : pr at^c'b 1 
° * ; that r is x tr^ provided' the~prbbe 

knbws^ how" tb a dedbdfe c 't3ie : prbtVcoi e r J This c inclididefe; : eVg. , 
* r -everything r ^ IP/tnDP/SNMP, Lotus Notes 

25 traffic/ ■'' W^^t^atifl^V *anfl "so" on". Applicati^rf-layer' 

tables provide in^ofrnatffoh on sti^e^-iset "of * J th^: ~ wt 
protocols- wMeh er the- n :; (nir "tabled ptbvi'de, 

by counting child-protocols of the supported 
network-layer protocols. 
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- * 'in* addi tibn ■ ^o thV^dlf fVreiit" tys><eV of 

protocol data that will be fttonitbred^ependi'ng on 
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available from a probe yi 11 depend on which data table 
the probe implements and the counting method .employed. 

Currently, four different RM0N2 matrix J ox 
5 , ^ convefsation)" tabl? types are pp^sible^: alJlatrixJ 
~ alMatrixTopN; nlMatrix, .and nllfatrixTppN. "~ 

•:. • ; nP"^^^" n ^ : i^t e ^ s /. ^^atri^^pN, tables - 
SU ^ P °~ t ^°.. ^W^ST modeV of operation which, affect 

10 -.■:rJ tl S -^^v* S^^K.:^ 6 - 00 ^ 3 ^ &fif&*&l and^bytes 

±S " f^^?/r ^ the' W^ous^ro toco^ % yf*^ i ^ first 
,, r 0 ^ . the c s ® 5 ou ^ting modes wi^^be^ref e^d\o^here^n a*s 
co - unt this^mpde^^ 
^^^T^p iKc-^Wll^. £$E fi 1 ? fef^S?tpcoi payers; } 

15 U * e *. sHifS*?.? " v P<2r n e3^1e^ .an^. IE/T£P^HTTP ~p,acket 

would increm^^ 

IP, TCP and HTTP protocols. The second counting mode 
>. ."HI -^ r ?| e ^« to c ^^ as _ ter^in^l wC punt mode, in 
thi !i^%:^ h « n ^^ ^?£^<F!^*i oiil^he. 
. *WS90&:r* Packet . 

J^^^f^U'^-^^tW^ ^twUd increment '.the 

..,, N -^?> ^a . t the ; termirjal coujU; , rn^de, jnay~ "oji^yT be used,- with 
the 'ar^trixT^N %bl^.' ; ? »?wever I all ^ur^ mode- can be 

25 used with all the FM0N2 tables discussed above 

src czar .-5".; ;.-'_-•.!:-•.: : ;vr ova r:~ .i acrss -jTf. w v r% .-5 5 _::■>.: . 
™ „"l in 9^the , al ,^ a ,trixTo|»N table^._. , 

•:>... 3 ilz £.•"•.-• : .*3:rrrc-l iJsb 1.; .:;cln-c; c-d* 03 Is c-r.s .'*>.*•.. ^-or 

dafc f> -. ln - .^ abl : es - co .f£ e f P.?? d i?9 . t?.. any one., of .f ive- 
30 different RM0N2 forinats! . . .The five" different "rm^"' 

table possibilities^ are identified herein, as. 
alMat f i ^? opN( ^f^^ , alMatrixTppN (All " 1 
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- of ten "called monitors or 'probes^ are sometimes used. 
^ These devices of ten' serve as agents of "a central 

network management station. Often the remote probes 
are stand-alone devices which "include internal 
5 resources; e.g., data storage and processing resources, 

used to collect, process "and forward, e.g. / to the 
network management system, information on packets being 
passed ovel- the network segment being monitored. In 
other cases, probes are built into devices such as. a 
10 routers^a'nd bridges. r " in such* cases/ the available data 

-~ process in^^ahd" storage Resources are often shared . 
^between" a w device J s ' pfiiiiary ' f unc ti ons and its secondary 
traffic ~nuS^ "f unctions. In order 

to manage ah iritrliriet "or other network comprising \ 
15 ^ -iw It iple 'segments ihaii^ proB&s may be used/" e.g. , one 

per each network segment to be monitored. 

r^o;n z-nz r ' 7'i'H err* • -'~ 

.e-: -^^two'fk "traffic data collected" £>y a'probe is 
iforma'-ily stor^3^in : te£Maily- wathiri tlie probe until/ 
20 * e^g.^ being 1 pravi ; d£cT to H lietwork 'management station. 

- 4he rfet r Wbric traf fic dktM- lis usually storeci" in table 
sometimes ~ r e"£ erjPed to^as a management information base 

u " ( MIB ) "/ ^c^yfMbli? MIB 'standards have been set by 
the Iht4i^i'e r t" iin^iiieer^ Force (l^TF) which ^ 

25 increase' thfe *^ traffic "that can/be 

monitored, the number Sways' network traffic can be 
counted, and also the number of data formats which can 
be used foir scoring Collected data/ RMON2 tables may 
includ^ a variety br network traffic data including ^ 
information on network traffic which occurs on layers 3 
through 7 of fchie Open* Systems Interconnect (OSI) model. 
The particular network "traffic inforrnation' which is 



30 
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another example, consider a- : packet which uses, the : SNMP 
s i ( Single -Network . Management; Protocol ) running, over UDP 

(-User Datagram Protocol) , ? running, on an Ij? (Internet 
: P^ptocolO, network-iayer prqtpcolv. Such a packet would 
rbe described herein as an ip/UDP/SNMP packet , 

« . - , . . r " r r _ * :1 ; ■ - . 

> : V ; ; -networks have^ grpwn in size.; and, the volume 

°4- < ^ t ^~ b ©ii*g passed oyer, networks hag incre^sed^ r 
■system -administrators-; have -been £ f ac^d with the jot? of 
pla3 m !y^v^nd : Mintaining network^ jof ( e.yer increasing 
size and-conplexity^ ^ -., . _ . .. : ^e' % * 



■v ; r ; IJetwork traffic,; inf pr^j^on^ caj^; be used when 
v;-'tro\dite : sh.ooting .prpbiems^ pn.^aiv existing xietwork^- £ -Xt 
15 ^ ; ^-aJsoJ)€: u^ed ytb^ £,syst;£fcm 
wi t h ; a ^t.ernat iy e ^rpu ting* ; pajths^ z 5 Xn^ addijt i on , - x , v ; n ; 
s :iin^<¥i*?^ t^pxi. jpii 1; je^ei s tii.xig'-. ^oar ccha^ig.ir^^ fiet^^k^ traffic^ 
trends is useful when decisions^-pn juj^rad^g.or £ n 
expanding service are being made. Thus, information on 
Wefe^rJc it tra,f f ^ : i#, useful 4x>t;h : when ! *ftaint,aining an 
^^-ftJ^TSfi-petwpjgk and 3 >?hen planning 4op£if i^t^ons and/or 
a dd^ipns- / to, a ,ngtwo?:k. (^i^ep^th^ 

. SF^^fii.P i?i^ppnr^tiorv, ? system a^inisy^rf to^rs -h£ye c ^ ... v 
c -^^Spized the: jaeed^, £pgr |aethod& j: ^n^^pp^atus. for ; . 
jpoji i toring network ac t i vi ty , e . T ,g m&t - .data^ £r a f f i c ... £ ■ 

Because intranets often encompass 
geographically remote syst^s^ remote 
mpnitpring. of. network traff ic, is ; oftqn -desirable. .. 

;v ; Jn^order to facilitate th^monitoring of 
network activity, remote monitor ing :(RMpN) , devices /. 
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' together physically remote LANS- 20, 3<oV r *0;" -In the 
•intranet 10/ each of the first through - ttiiircl - LAMS 20, 
30, -40 includes "a plurality of- computers (21, 1 22; 23) 
' : (31, 32-, 33) ("41, 42 r 43) , respectively. The computers 
5 within each LAN 20, 30, 40 are coupled together by a 

data link, e.g., an Ethernet, 26, 36, 46, respectively. 
,: -The first LAN 20 is boupleti to th^ second LAN 30 via a 
first 41 rbuter Thus, the router T8 couples data 

links 26 v 36 together. : Similarly,- 'the second LAN 30 is 
10 coupled to ¥He^ third LAN- 30 via- a? second roxIter-lSi - 

which couples data links 36 and 4 6 -together.- ; - - x 



30 



- v ■ , a ^ s s ■ knb&n- in the' art , " the . trans f er r ing o f 



-data in v the form- of : packets -can- ILhvolVe processing by 
15 ' -Several rayers- which : are ■ -inplemerited* : ixi bath likrdware 
and/ or sbf t&aSfe^ at? difl^rent" points lii -a^netwdxky "A 
di f f eren t prbtbcol may 5 ie used r kt- -each* -levels ^resulting 
in a protocol"- hierarchy-,-" - ~ *.v ; :: .7 . 

r ■ \o.'.:;s."* v o : 4 s . . ^''sj . /. .■:£ <z m -\ . \ ; .si Q^^bry.a:^^ 

20 * : - : ~ - At 1 the bot torn* of the 1 pr ot 6cbl : -hi'erairbhy f is 

~ : th£ network 1 -layer protocol A- £ 0ne or more "application 
; * r layer - : prbtbcolV ^re^ above- -the -network- layer 

protobbl\. "th 'the" present 1 %pplicatabn-r-"when : describing 
a protocol as sbcirarte^ £ata -packtet, the prbtbcol 

25 associated-'- with 5 r the* pabket will 'be ciescribeci in terms 

of the protocols and layers associated therewith. 

-V"-" 1 ' ^For* exanrpie-, the*' afifiotatioh 1 f: - ' *' — ; - * " 

<network^ia^r>/<^piplicatiori-lay^ 



'-"•* is used : to" describe- the "protocol hierarchy of 
the ""top-levesi* (application-layer N) protocol As 
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METHODS AND APPARATUS FOR COLLECTING, STORING, 
PROCESSING AND USING NETWORK TRAFFIC DATA 



FIELD: OF; THE ISK7ENTIQN " r ~" ~ " ; 

t 'Phe present /invention is .difected to the 

.collectioiiv^scorage, processing ^axid use of data in 
computer networks, and more specifically, to the 
collection, storage, processing ^ahd use of data 
relating to network traffics .", ' 0 ! A : k i 



BACKGROUND OF THE INVEnAon 



The use of ^computer networks, and 
inter-connected group's or computer networks referred as 
intranets, continues to be on the increase. The World 
Wide Web (WWW) , sometimes referred to as the Internet, 
is an example of a global system of inter-connected 
computer networks used for both business and personal 

pursuits^. The. increased _use of-, intranets- within 

indrvi^a^busine^ iiDfiiwa^ ; use of the 

Internet globally is due to the increased number of 
computer networks in ^kistehtee" arid the ease with which 
data# f ' messages a"hd r /or pther |ir{f qrmati->n,^ can now 
be exchSft^fed " Between 'compters locaTted on _ ^ ' 

inter-connected networks,. . v . 



implemented using known networking techniques and three 
local area networks (LANS). 20, 30, 40. The intranet 10 
may be implemented ..within a business-by--- linking ■ 
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„ . store the jnost recently collected data 

table in said* temporary data table storage 
..... locatiqn; . , -..-<, 

. , ^ ; -. . from t^e. entries in each row Of . the most 
" recently collected data table, subtract 
the corresponding packet and byte counter 
values obtained from the corresponding row 
'J... *: J ■ of the table retrieved from said temporary 

data table storage location, the resulting 
: - ' 1 :.**-*• " . ■ packet -and byte*' counters being the delta 

count values for the network. traffic table 
being generated; and 

incorporate the generated delta count 
values .in the .-network traffic data table 
upon which the conversion operation is 
.-■ , : r ? - - being perfpr^ed. theiteby, replacing the'. 

absolute count values from which they were 
^ £ \ , . v . .v . :generat:ed; \ .->v re: ~irs : 

; disccard tiie "neTwbrk %raf-fxc c da'ta tedble : 
retrieved from said temporary storage 
location; 
, end else . *■ - . -.- - 

: .-ehd- { delta ; count generation o£er¥£ion}~' 

In the pseudo code set forth 'above., the delta 
time interval is the time" interval between generation 
of the retrieved tables by the probe which supplies the 
data being processed. 

' ; / •: 'i\ --■/" • r-/r^:^-r erf.- V 

As an example of a delta -xzoxint- Conversion 

operation consider that a counter in "a table 

35 ^t-f^^f^^\ fc ? 'Wz ^P^^^riP^^? had a value of 100 
h tl ] e :f^ c ^ j^™*: d^ta;ytable; wa's retrieved from the 

specific probe, a value of * 400 'the next time the data 
*>. ta *>le ewas retrieved ..from the. same probe and a value of 
600 the third time data was retrieved from the probe. 
In such a case, the delta counter value generated in 
accordance with the conversion^ process of the present 
ipy_entix>n ,for the interval corresponding to the time 
period b^efcwee^. the ^*f irst ' ^d seebnd probe data 
retrievals^ would be 300;>rid tHe; delta counter value 
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generated for the second time inte^al,^c>^resppnding to 
the period of time between 'the seedrid'aiid; third probe 
:: dat»a retrievals would ^be 2G0. - v '-■■^ r t * 

The conversibh of all toode edixnt d^ta: to : 
terminal -mode count data is required : to ; conVert^data : 
from alMatrix and ^IHaFfetrfxTbpM - r { All -G'dufit -Mo\ae> : ' ' : taKi r es 
into the common format used by -tKe -apparatus ' of" tlie- - 
„ ? rese . nt . in ^ en J :i n on • The conversion process of the, 

present invention assumes" that t^e : ]data :in ^the tables 
;, Iias^ altSa<^ -bfeeh -cbhvefted rrito dellta coiint valii^ if 
u w ? s -< ?|t9*\ f a P r J i ^<^;i?i <delta : cpunt format-. v ^ ... r : oo 

C J 1 =. acqordajice: ; with^^he, : exe^lar^e^ 
of -the ;> present 4iiv^t^i^ G1: the : cbiiv^sron of^ail'^bunt 
mode aata^tp-^te^^ ,d^ta ^n> ^stepr.€^D >: and 

the " tearmina:a r: codtft? cc^er%ibn : dperatic^ -63 0 r iiWblve 
per f orming- ^ ^he s .steps^,set C^th^in' ibhe . -f : plic>w^ng; T pseudo 

r:>:. zeals*: ^-:(>^nuco .:d.3^;;^ > I re'- .^ri^^lU'^I 

^Beg£h^ l 'C6&ivers£6h^ 6*f JEfi': Count mode iata '± - ':qcrnoD 
. a3-.fi av touTeriniualr^ount rmo'de J>ata> i.: j.* vl.:/£rr:: 

■T.n: CM ,rt^^l.:no 01: e:.-> o^;.---...- 'T.*n*".: . ^'•T1T~ > -^X 

For each dSuIivxdual * conversation f or wixxch there *is 
data in the dafia ikble" beingr j^ocessfed do: . .;,;Jc J 

^- tb ~ 1 ^1 \ O de&ermihe the prbtbcdr; hierarchy f io£-: the 
vs:. ooc.c-q ^. individual conversant iron r •; • ; . ^r^-T s c;-; 

■ - r - * - o - ~ ' • r - /^^ a ^ rt ^5 ! ^t ^he 'network- layer ' prbtbcQ-ls , 
' J ; ^ > - - 3 subtract the* counter 'Values £or c eac$i " 

immediate ( existing) child pr6t©col c rrom 
the child protocol's immediate (existing) 
^ , ^ ..parent counter value and store the result 
.en ,/t^/.j^v las the? parent protocol's terminal count 
counter value. 



x . Repeat .tji.e preceding step for^ each child 
A : prbtocol uh til the "entire protdcdl 

, .r ^hierarchy: has been« traversed , . , . . . 

'End Ido} ; - z ' : - ; ■ * ^ 



10 



15 



20 



25 



30 



35 



40 



BNSDOCID: <GB. 



-43- 



r. — r e^ . 
~ r . germinal. Count ^mode Data) 

AS an example of a .terminal caxmt conversion 
operation consider the exemplary protocol hierarchy 
di ?£ussed above in regard * to --Fig . 3. -In order to 
convert .all, : co,unt mode data to terminal count mode, data 
^t^^i ; f °^l^i n 9.;„steps would be performed assuming the 
Fig/ tT 3 -; p^tqcol^.hierarchy: ^, f » a c 

l.The protocol hierarchy for the monitored conversation 
-Woxild- be r det%r7niried. : : - • •*■> ^;;nt".7;:i :::^^:e .r 

? *^^fe - w ^h the, ;PP : r protocol^ ^v^lues- ^packet and 

byte counter values) . Subtract the corresponding 
counter values for ttf<~ PP/^^ : ^ 
protocols, from the IP parent protocol counter 
values. Note that the IP/UDP/SNMP protocol is 

- r ^bnsl^ered : %d-: be ;i ari ^ki^^te cKIIff the IP 

t;^FP^P9P\.P^?^P%-;^P: I^/UDP- protocol do^s r not.- exist 
In the data retrieved from the probe in the^Figr. . 3 

& -^xiun^re"- r (%ihfce : *t:he jprobe-' is : hob* 3 %^i%orlng s it : ) , -feiflf 
f-f Po^J^i- s JPJpk® ^ :^he immedi $l t e- 3 ( exis.tang^ :T parent 6 qf 

IP/UDP/SNMP. Store the resulting values "as the 
^'t^iri&ii&HP -cbxm t^ IP -protocol counter ^alS*es2 : - : - l: ' r :; 

3. Next, move onto the children of IP, namely IP/TCP^and 
IP/UDP/SNMP. For IP/TCP, subtract counter values for 
the IP/TCP/FTP and IP/TCP/HTTP protocols from the 
corresponding, PP^fC? counters values^, rnStori^-the 
result as the IP/TGP: te3^na:l-:*CountrcoXinter values. 
For IP/UDP/SNMP there are no children, and so no 
.PfPp^ssing to convert the r counter values.. to terminal 

-cbttot ^lufli;^ 

4. Finally, the conversion process -moves onto the 
children -of . IP /TCP,; namely?:' IP/TCP /FTP and 
IP/TCP/HTTP . "-As nei ther of- these protocols have 

? ^^A^^ n ^.i n the hierarchy there is no processing to 

**e: Idc5ne t ' "to * convert *£iieC counter I' values to terminal 
r-^couiit Vjalu^sY.; /""'iY' :;<^Y 'lY.JY 

:i.!:;vr-:r . ::r «■*::_ *" u.-:' « . . - a - anr ; : c r 

,0-: Examples of the. data collection, conversion 

(where required) , and storage processes of the present 
irfventf^^ The following 

examples of how various packets and bytes seen for a 
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single conversation would' be' cc^^er ih^th^ varices' 
probe table formats, are based on' l^¥ik&lm&±*& 
example conversation. The byte and packet counts for 
the exan^le' conversation/ 'for one exdriplary monitored 
time' period, are* set ^ forth x below in" Table' : l.' 'in' 2 
accordance with thl pVeseftt: 'iif^£M7'S& ' : £ine period 
would correspond to the 1 time period t e fo^^whicli'' : ai"'aiid nl 
MatrixTopN tables were configured. 



10 



15 



In the "following example conversation, in the 
monitored -ttime-.injtfirval reflected. tin Table; 1, the 
device wi£h -,the.. IP; address. 123 . 45^67. 89 was talKihg ) t o 
the device W iJ^-SPc.addxess:.-ft8xl76=.iS4.'.-.32:- a^d-the* -'lILs^a 
? Packet;, andj byte- counts Mere, seen; by a. pafobfe" in regard 
to the ^cpnverisaiiipn.,.:. \ ":.r.-Ja^n' i-.Jvi iv.i.-> :-a c-ciJ 













;_:.irT Protocol ; 


l_l / Packets b:i 


\ ~J ai. Bytes J. on 




IP 




... 5000 ^ ? 




' — tp/tcp 


r "" " 2d 


4000 




Lo:IP/FCP/FrP i> 


^1:200? 


' ?3000#O - 




IP/TCP/HTTP 


io 


1000 




IP/UDP/SNMP 


120 I 


10000 " 



/.ctsst: 

3 .» . . . . '.^ 
ism':: 



20 



25 



' s .5 ■ _ TABLE;" Irx- 



-:.] >■ tr> 2 ;^Thecbytfeei.:and. packet rcounts -;f ornthe~exaraple 
conversation Zsrhowi* i^fvTabl'eLlDinclude :oh3:y the' = Cc ; 
monitored protocols^ which were shown in -the iexanple - -v 
hierarchy discussed earlier in regard to ?Fig ; ~3 .- ! ^ -N6t f e 
that Table 1 reflects that the monitoring of UDP 
Rrptj>c>Xx.^,.^ait'taiMed-.S3£*:±n the piSobe -monitoring 
the: conversation:.;^. Also: note. . tfcat> in Table ^Fe.g^ - 
IP/TCP represents all those packets- Which cou^ld" drily be 
decoded by the probe as far as the IP/TCP protocol - 
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t £ e . ?-F/T^- ^° 3 ^ ?t: - 5lfi>e.s Pot ; include the . IP/TCP /FTP. : or 
IP/TCP/HTTP counts. . 

.Exainples q£ ^ the .processing perf ormed , in^ r - 
Fig. 6B for = each of the, .five .possible, input • table _ : 
. f?^ 1 ? 3 ^? .yP-ll ; now , be ^prQvided^. feared on , the above : 
d 4j? cusse ^ .^^^lary conversation. - 

1. alMatrixTopN (Terminal Count Mode) 
Table Processing Example 

en - . ~ AsC , diis cus sed rabbcwet, 42ie.^l^t^i^^ 
-(TermiT\^l -QountS ModelH- tables. Tnoifi^rs- c^Ver^tik>hk ;, %% 
l^h „th% r lgi0wn5 a£pli£atribnf lay^;.protZ>ac>-ls^ ^and^ Wtofces 

using* idelta -counter s^ -in mP^^^e^^hidtr m ±s^^TA&TBd 
by the packet or byte counters (depenidAft^ fcpbn er:r r -' J 
user-configuration) . The counters in the alMatrixTopN 
(Ten4pn§^3^eT^^^ Count 

,Md --3f^ only the 

countefr~ 6£ fc5e *hxghes-b-ie%feY*ng^Cdcoli used in the 



Mode, 
count 
packed* 



Ct<V * ' ' -r^o - I 



In this example ;i-:#e will assume that the user 
(or client program) has requested that the table be 
0 5der£d3by^the^by|be^counte*s^^':; ;cbmi£ers in this 

table wo^k i^^errturial th©r£o& *-XP /^TCP/FTP 

packers KO f or* -example , ^increment conl^ ctdMfGiF/TCpc/F^"" - •' r 
-packet :*coxint^er rby ^:00 ;: r . ::e ■ ^*^~uz 2 >o v.:' -v ; / 

2 - r.a result, t£he. :a:lMat:rix^^ Count 

ModeV s tabl;e 7 f;or the exemplary: conversation "of: TABLE T 
would/ look li-Jce -fchi.s:. ^ i j -\j .: ; 5 i ^ ^ . 
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Network 

Layer 
Protocol 



IP 



IP 



IP 
IP 



'Source Address 



123.45.67;89 



123.4S.67.89 



123.45.67.89 
123.45.67.89 



Destination 
: Address 



- 98.7&54.32^ 



98.76.54.32 



98.76.54.32 



Application Layer 



JPJTCP/PTP 



Packets 



200 



IP/UDP/SNMP. 



120 



IP 



50 



Bytes 



30000 



10000 



IP 



98.76.54.32 



123:45^67.89 



IP/TCP 



98.76,54.32 



20 



IP/TCP/HTTP 



10 



4000 



TABLE;- 2 



tfote^'fcKjat as" this is . a MatrixTopN table, the 
packet ^^'^^i^^^r: values are the total number of 
packets and byt^for tjheT c6nvWrsati|on in the monitored 
time interi^^^L^l'^. j 



10 



15 



For alMatrpc^op^Terminal Count Mode) , the 
counters are already delta values in terminal count . 
mode : &g: the tab^ : ,e.g,- Table 2^ received from a 
Parobex; is rau^matrically: in *:&e..±camQa:teta:vtom2t7.:: 
Accordingly, in accordance- : wi fcho Fig v ; 6B .;the^. TOT \ Z 
alMatrixTopN (Terminal Count Mode) table would be 
rstored^ 32xmQ^£i^- r :ciii therlbuf f er ,173 :t c a 



20 



25 



: ; i a : 3:2., '.:^|^t^3cTopNfAli .Cpunet Modefc : -a;; r:.;;c ■ 
: . ^ ... ... ^ . 4 Table. Processing Example 

The alMatrixTopN (All Count Mode) tafcle ' " 
monitors conversations at all the known 
application- layer protocols, "and stores them, using 
delta 'counters , "in a 'table which is o^rdeired'^V "the 
packet' or byte" counters' Tdepehding" upon /' : ^ : ' o:t: 
user-confi^itibh)^ counter^ the' al^trlxl^pN 
(Ail Count* Mode Viable work*' in All Cbuht Mode^ and so a 
monitored packet increments the counters for all the 
protocol layers used in the packet. 
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! works in Al : l o: Count Mode, - the monitored protocols 

i \ y k \. 

iiS^^eh€*rQi^ pllowing/ counters ; for- the exemplary 
- ..conversation:— - ..: ^ - .... -.i. — — ■ l-~ 5 -r.. .* - ~. 



' * Protocol 


1 Increnfcented 
[ ' Counters " 


•IP - 


1 IP 


IP/TCP 


1 IP 

IP/TCP 


"Z.-IP/TCP/FTP- 


Li ^ ip ; - 

IP/TCP 
r - IP /-TCP /FTP- 


. IP/TCP/HTTP^ . 


- IP.--. 
*" IP/TCP 
IP /TCP/HTTP -y 


IP/UDP/SNMP 


IP 

IP/UDP/SNMP 



5 ,^o::/i: tThis'- means that r 7 for -exam^l%y t35e 200 
10 IP/TeP/FTPrpacketS"in^fertte^t 'the^IP^ the ^P/TCP' : *^* the 

IP/TCP/FTP^packet ~cotbiter^byw2G0 ni v..or.:f: r.D:A 

Note :l€hat -as. the IP/UDP ~:p~r^t*6eol^ is* not* being 
monitored in this example by the probe, an IP/UDP 
15 counter i s --riot . maintained 7 T AdcbsrdihfcFly , ■ Vpackets for 

the IP/UDP/SNMP' prbtbcol-'&d riot"ihi^ement an IP/UDP 
counter. , 

. . c y: ; .. ..." .'.v y .■::>.' -;9v;:o-. £ . - 
Jn this example,, we will assume that the user 

20 (or client program) has requested that the table be 

v>^:^ c; ; 2:. .^;v it:;.? •■ £ . s:£; ^: :j z-r. \ ~ ^ 

ordered by the byte counters. Since the counters work 
in All Co-ont Mode,, the 200 IP /TCP/FTP packets increment 
the IP, the IP /TCP and the IP/TCP/FTP jacket counters 
"by" 200. " ^ ' - ."_7.V^. /7*I\V*.~I". 
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The resulting alMatfixTopN : ( Ml 1 Count Mode) 
table Would' : lodk : like this! : : - '-' -'- t . - v> 



Network 

Protocol 

- 


Source 
Address " 


Destination 

" * c Address; - 


Application 

' " "J&ayer - 

Protocol 


| Packets | Bytes 


IP i 


123.45^67.89 


98.76.54.32 


IP 


1 4Q0r* II 50000 


; rp - 


123.45767V89" 


r9S.;76 ; 54^32 


T\ IP7TCP/ . 


* ; ;:23{T^ 1 35000 




"123. 45 . 67 789' 


^98 C76, 54^32. 


. IP/TCP/FTP ; - 


200- I 30000 


" IP V / 


123.45.67.89 


98V 76. 54. 32 


-IP/UDP/SNMP— 


8 10000 


" IP T" 


r : 123;45 :67-. 89 7 


98 ;;76:54-:32- 


,/, IP/TCP/HTTP ~ 


- 10 1 1000 



TABLE 4A 



As this is a MatrixTopN table, the packet and 
~ ' byte v c6u^^ packets and 

"b^tes c f oif' the "con^r slkion f in the" monitored time : 
10 interval. *. * : ^:T; t, 

In order to t% ^i^fe^ix^opN (All Count 
Mode) table in the selected™ common '£ ormat used by the 
£drese»t -invention > /.a : tenhinal^ counts conversion 
15 ^^at-idn ds -^erf oi^nedvon the values : in TABLE ~4A, as 



"Rrotocol ; -~ - 


- c 0 ^ x vbrsanla zhz. r, . , 


:.;J?^ClciBtS / 


7 r- n ; " : J3ytes 


' p ; V v :. 


, IP - IP/UDP/SNMP - 
* . // - J IP7TCP ~ r 


400 - 230 - 

- s.:i.r 120 . . 

* 50 


50000 - 10000 - 
- " 35000 ;; 
, = 5000 


IP/UDP/SNMP 


IP/UDP/SfMlP 


= 120 


* - - = 10000 


IP7TCE>-' 


iP/TCfc es>Ht./ TC2/FTP " 
- IP /TCP /HTTP 


230 ; -V.300 - 

10 
= 20 


35CX0O -~ 30000 - 1000 " 
= 4000 


. , IP/TCP/FyP , 


IE/TCP/FTP 


= 200 


= 30000 


IP/TCP/HTTP " 


IP7 TC P / HTTP 


« 10 


= 1000 



TABLE 4B 



1 
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- .. - After- terminal., count .conver sion, the counter 
values are now delta counter values expressed in 
terminal count mode format, giving the following table. 















•i 


Network 


Source 


Destination 


Application 1 


; Packets 


Bytes 


» 


-r I*ayer : - 
..Protocol... 


Address , . . 


Address : 


.lAyor 
Protocol : 1 






- - * 


, .... ip-,.._ '*. 


-121. 45% 67. 89.. 


-98,76.-5.4-32 


,J . *'^..IP 


L 30i 


5000 






-123-. : 45.67.89 


-98.7.6J.54..--32 


Z- IP/TCP :- . 


120 


4000 


u J _f J_ 


. . ^p ... 


- 123*.45:;67.89 - 


-58.76.54.32 


IP/TCP/ ftp..:... 


?2ioo._ J 


30000 




„ IP 


123.45:67.89. 


~98.76;54;32_ 


-IP./TCP/H!TTP_. 


, _. il0 „jj 


1000 




IP 


123.45.67.89 


98.76.54.32 


IP/UDP/SNMP 


120 


10000 



5 

TABLE 4C 



£ . . . ^ • .Since, the moni tored. .probe. , data . is_ now in , the 

desired cpmmon t f orpiat, „T^ in 
10 buffer 173. . -;:-.r 

, y - x r j i( .,3-. ,. r alMatriy- -Tsble ... r f . if _, T 

Pro'cessifig ^Example 

15 : ' i -The. alMatrix -table: moni tors ^Qonvers^tion^ at 

all.:' the-* Known 1. applicatibri- layers pro feocols, -arid stores 
them, using absolute counters, in a table which ji;s I 
ordered by network-layer protocol, source and 
*~T' ^rdes^ination 7 -addresses. T and" appli^ • 
20' r^rvThe counters in the alMatril^j ta)51*e work in All Count 

, ;.;"/.f r -fiodev -and so,r moi>itor-ed -p^Ke^ r inprements v the :: counters 

-for i; aii the : protodol rayersVu^^ 

jVr~ i "Since- the alMat^ixV-t^ie'WO^s -_i^-Aia Cpunt 

25 Mode, the monitored protocols increment the counters 

illustrated in Table 3. 
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As a result , the alMa trix" tkbl^* W&Uld look 

like this: ' " " J " ' :: - ' ' - - 



Network 

Layer 
Protocol 


Source 
Address 


Des t inat i on 
Address ; 


'Application 
Protocol 


" Packets 


Bytes 


IP 


123.45.67/89 


98.76.54:32 ^ 


■ IP • - 


»■ 1200 


150000 


IP 


123.45.67.89 


98.76.54.32 


IP/TCP | 690 


1000000 


IP 


123.45.67.89 


98.76.54.32 


IP/TCP/FTP 


600 


90000 


v IP 


123,45.67.89 


; 98^76. 54-. 32 


"IP/TCP/HTTP 


("•,"."30™ 


3000 


IP ' 


123.45.67.89 


9,8.76.54.32 


.IP/UDP/SNMP 


1/ 360 


30000 



• q^Tf r;^ - TABIi^ 5A .4 ' : 

Table from the same probe, was as follows: 



Network 

./^Latyer ' : > t 
Protocol 


Source 

.Address v - ;T > : 


Destination 
- Address •* 


Application 

■ : . -Layer 
Protocol 


Packets 


Bytes 


. ~ip : 




98^76^54^2 




3 800* 


100000 




^3^45,67.89. 


98.76.54.32 


IR/TCP. ... 


460_ 


965000 




123 :45-. 67 . 89 * 


98V76'.54;32' 


IP /TCP /FTP H 


400' 


60000 


IP 


123.45.67.89/ 


98,. 76 :54.32 


- IP/TCP /HTTP 




2000 


IP 


123 .45.67.89 


98.76.54.32 


IP/UDP/SNMP | 


240 


20000 



^.,: :V r ; „r-?4ih^.^ v r TABLE : ; 5B . "J 1. "'^^-(lllll'"; 

-J ""Fo^tKe" alMatri^, T^l^ SA, the [co^t^^f" values 

are absolute ^yaltfes presented ,iri:^all' gount inolie. > 

Accordingly:, -^tdLplacie the alMatrix. Ta^le r; 5A. : .ixito.^the 

desired ^ '"theycounter values* fist 'ifi- 

converted to delta values and all count mode values 
need to be converted to terminal count mode values . 

In accordance with the present invention the 
first step is the generation of delta values. This is 
done by subtracting the counter values in the alMatrix 
Table 5B, which was received during the last collection 
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ope^ati.pn^ :c fjrorn. the corresponding counter values found 
in the most recently received alMatrix Table. 5A. 
Table 5B may be obtained from the temporary data table 
- -■■ - - storage ^locajt^ed. -in- memory . 1 69 . The resul t-ing .table , 
5 ' Table ;5C, which includes the delta Values 1 generated by 
thC si^tractibn operation is shdwh "below: 



, .Network/: 
luayor. j 
Protocol 


Source 

Address 


: Destination 
-Address 


L Jtoplicatipn 
Protocol 


Packets 


Bytes 


I? 


123.45.67.89 


98.7.6.54.32 


IP 


400 


50Q00 


IP 


123.45.67.89 


98.76.54.32 


IP/TCP 


230 


35000 


IF 


123.45.67. 89 


98.76.54.32 


IP/ TCP /FTP 


200 


30000 


IP 


123.45.67.89 


98.76.54.32 


IP/TCP/HTTP 


10 


1000 




123- 45.67.89 - 


98v76.$4*3:2: 


G3^B'/XJD2/SNMP 


120 


10000 



TABLE 5C 

| ^AF£er delta-cfbunt conversions the values ! in ^ 

__L„. ■ : ^c^o-* ; 

■-' V*-» :j - si^trafctloris r - £hown. .in ;JTi^iWj5J^ 



Protocol 


Formula 


Packets 


Bytes " 


IP 


IP - IP/UDP/SNMP - 
IP/TCP 


400 - 230 - 
120 
= 50 


50000 - 10000 - 
35000 
= 5000 


' IP/UDSVSNMP - 


' -IP7UDP/SN&P - •" ^ 




* 10000 


JJrJVTCP. 


IP /TCP., - IP/ TCP /FTP, 
~- IP /TCP/HTTP ~ ' s - 


,,230. - 200^- , 

■ - —it 

.- : - - ^ 20 


.35000 -.30000 - 1000 
1 -% 4000 


IP/TCP/FTP 


IP/TCP/FTP 


« 200 


= 30000 


:IP/TCP/HTTP.. . 


IP/TCPVHTTP> j 


?r.r.. ::= ,;i0,r.:-: 


: r 1000 



TABLE 5D , 
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The terminal count conversion operation 
■- results- d*i- '^h^^oli^wing;, Jtablfe.;^:^ 



Network 

Layer 
Protocol 


Source 
Address 


Xtest^Lnat ion 
Address 


Application 
Layer 
Protocol 


Packets 


Bytes 


IB 


123.45.67.89 


98.76.54.32 


IP 


50 


5000 


IP 


•I23.45.ST.S9 


98.76:54 . : 32 


. ^IP/TCP 


20 


4000 


ip .: - 


123.45,67.89 


,98.7d6.54>.32. 


r IPATCP/-FT?. . 


. „ 2J0O 


30000 


ip 


123.45.67.89 


98.76.54.32 


IP/TCP/Hf^P 


10 


1000 


ip 


$23 . 45: 67*; 89^ 


*98.t76.£4-.32„ 


s £P/OT>E/saq&? ;|; :.;12,0 v 


10000 



* — - s , As-.T^bl.^ .5? i§ now. in the common data format, 
i.e. , with counter values expressed as d^ita cpunter 
values in terminal count mode, Table 5E can be stored 
in the buffer 173. 



4 . nlMatrixTopN Table 
r: " ^agQcesjging jExamplce x :r * ci\ 

I - 'i.;^ -r T ^ n^^trj^cTopN table monitors .conversations 
at the ^etworjc- layer protocols only,^ and stores them, 
using ~delta-,c©unters,_ in. a table which is. ordered by 
the packet or byte counters (depending upon 
user-configuration) . 

\:Tk?2£l^ a £ r i? T °P N table, moni tors, oply 
network- layer :-pro£Qcols?^and.. so. >ri,ll cpnsider^ all of 
the packets giyep in. \the: exemplary conversation, to be 
IP packets, and so the stored table would be as 



Protocol 


Source Ad&re&s- 


Destination Address J 


. Packets | 


Bytes 


IP 


123.45.67.89 


98.76.54.32 | 


400- j 


" 50000 



~~ "1"" ^NiDte- that as 'thi-s ris- a : MdLtrixTopN- table, the 

-paekot-j-aTid^b^e counter' values ...ari; the total huinber of 
. packets. '^:dLSyte$ j£ or '^J^^onyBx^a^pj^ firr the monitored 
time interval . Since the counter values in the 
nlMatrixTopN table are already delta counter values, no 
conversion processing needs to be performed on the 
nlMatrixTopN table and 'it i£ f4aSy c tor Storage in the 
^ffer"l7ras 3 rkri^d: ib*.-^:.o 
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5. nlMatrix Table * " 1 ~ ^ c ~ " : , : — 

Processing Example 

The nlMatrix:^ conversations at 

the network- layer protocols only. It stores the 
counted byte and Vpacket information;' tiffing absolute 
count" values 7 irf a'' table * whi£h* k i s^6rder£d z £>y : - r - - 



network- layer" pro tocSI^ and * source J and°des£i ria&xbn 



addresses:" ~ ' ' 



As the nlMatrix table monitors only 
netwbrTt-llayer^prStofeb'is/ it will :i4 consaider all of the 
packets given ih" the example* confer satiibii- to -be- IP 
packet's 0 /* an&"sb the" stored 5 tab^Le would look- like "ithis : 



Protocol 


Source Address 


Destination Address 


•Packets" | Bytes ^ 


XP 


123.45.67.89 


98.76.54.32 


1200 | 150000 



TABLE 7A 



Assuming the most recent 'pf^viou^ly ^retrieved 
nMatri'x Table froin : the same proBe'^s'-'is follbws: 



-Protocol f -Source Address 



.-IP 



123*. 45. 67^ 89- 



Pestrxrtatioir Address | Packets "| Bytes 



98; 76,. S4 . 32 ^ ,-| - v ;? 80Br:Hl 10000 



a 



TABLE 7B 



JK * ■ _ i. 



_ . " In order to place the nlMatrix table in the 
A es ^ r .? d ^con^on^foannat, a delta conversion operation is 
performed . This, involves subtracting .the counter 
values from the current nlMatrix Table 7 A from the 
corresponding counter values in the previously .received 
Table 7B to generate a table as follows: " 











J Protocol 


Source Address 


Destination Address Q Packets H 


Bytes | 




- ■ : 'l-23V45S6?r&9- Vj: 


- 98 . 76 . 54 --32 — * -j- i 4*60^ - P 


50000 1 






i TABLE 7C, -t, - 1 - ~> -* - - rr - r 













Since Table 7C is now in the des-ijr^^pmnion 
format with delta counter values, it is ready for 

2?tqrage :; in the ? by ffer 173^ :rcn;js i: d- ' ~ 

t z?.hb zz- *' IbIS.^z^c; ■•:ql;:"- -ni:.5: ..iJb 

c*. • * -J £ As- t£e ;; result* of t^e 5 data : cpllec-t*icm3 -Hpdc 
conversion^rout^ above,; th^ dat^Rlaced in 

the, buffer 173r.i?: :in , the cpmmoxi: fprmat^ rendering: it 
suitable; >f or vuse>; ' : ex g-.,: . in generating arin^twpjrte tjnaf f ic 
database^;: -j x.ZvJ:*jl~~ a.-*.; 5-.-; ..a;." a: . ^ass:) 



; : : r :t;;Figur^ ::: 7; : illustrates., how -.the* negworfc tariff ic 
data ,7,01, 1703b 7-65*;* from the firsts through? thixd probes 
respectively, =placed-in;;the, : buffer 17 3^ * can- be used to 



.geper^ database .707 < In accordance 

with - one e^pdiment.. of : the present- invent i<?n, the; , 
network traffic data 701, 703, 705 is processed by a 
da.t -a±sa;s e-jgenerat iron ^ and: mainr enanc;e s routine 7 0 0 to ' 

... g.enei^£e.Ja ^akai>a^^/7;07 Unlike.' prioi? "ar.t databases 

which do not include data sets of different resolutions 
which overlap in time, the' database 707 includes 

' multiple resolutions of the same data in parallel, 
e.g.; in hourly, 6 hourly , "daily / and weekly data sets. 
These data sets are stored in corresponding FIFO data 
structures 709, 711, 713, ^715," respe^ctively'. The"" 

database 707 may "be* stored" on"~the" % data storage 

j^j'X. v> -i;" j : se^Isv -csirjjoo pr. 1 ;;;;:-: 

device 158. ^ " 

_ JThe„parJilXel_,_imlt^^^ 

means of managing a network traffic database and 
limiting its size wxthoiit- v the need for an aging process 
and the double buffering often associated with such. 

; prbcesf3e^\ 3c — r -~ ~" ^^-^ 

While the amount^ of p3rocess£&gr fceq&xred - to 
create and maintain multiple parallel sets of data in 
different- reso-luti^ns^iray^ than 
systems^' which- do^ho^ use>- parai4el ^d4Ca^Set5sf = Mhe - 
>roK , 6srs-i^&^*as*6^i^ea-'''wi'th creating : such ^-database is 
moire ^cons tant bhah^ "systems iwhieh^> involve -iiging s-* 
processes. This is because the periodic load-"- 
associated with the aging process is avoided when using 
tnfe - method" of-* the present* invention* - A further benefit 
of fchi§- scheme is- that tlie different resolutions of 
data a-fe-rfeadily aval l&ble- which "-male's switching " = ■ 
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between different* data festflutioris fast "-"md* efficient 

when displaying* data "and or respondift# 1 ^ 

<jueries. 

In the exemplary ^rtJbodiment of Frg; 7Tthe 
disk space allocated to the database 707 is divided 
into 4 parts arid assigned to~ th£ "following fixed :y 
resolutions: hourly, *6-h6urly, daily ~ahd weekly J- As 
discussed above each row of a data table 701, 703'/ 705 
corresponds to a moriitored conversation and includes 
byte and packet 'count information. Time ^t amp ~ " ; 
information indicating the time 1 tlie Conversation was 
monitored is also included in the t&blefc 701, : 703/ 705. 
As each "row of datfa is ~rek& ±n 'from one ~of the ~ :y 
tables 701, 7*03 / 7057 i'tris 'used ;V 'tb : create 6r 7 up&ate an 
entry in each ~of the ^pafall^l data sets 1 709, ^7117 ; 713, 
715. Within^ttie ^g^erated r p : arali^l c datS '^etsf : ^ach 
record is used to represent a coiWersatiori between two 
hosts and the records are time aligned depending on the 
resolution: hourly "ofi the "hour 1 ; '6-hour ly at 0600, 1200, 
1800 and '2400 "firs;' (laily^at §'400 Hrs> : dnd : w4eki^ r at 
2400 ~hrs on ~ Saturday 7 * v Database "tecbirds for tJie same 
time interval can be considered as being in the u same 
"bucket"- Thus, a bucket is a set b^ v d^ta^stB^a^re 
records for storing network traffic data corresponding 
to the preselected "unit" of ** time uSe'S £br the resolution 
to which the bucket corresponds 7 ' 

Fig. 8 illustrates the database "geft^atlon 
and maintenance routine 700 of " the present*" ihvfehtion in 
greater detail. The illustrated routine' 700 may be one 
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v .of t-he. pa^llel data „set, generation routines 166 scored 
..in _ .the,:ir!anagfjnent. station ' s memory. 162. . 

The routine 700 beings in step 702 wherein 
; ^the -database generation, routine is started, e.g,, by- 
having the GPU .,1.54- load and begin executing the 
routine 7,0.0... In . embodiments where the routine 700 is 
v .implemented, jusing parallel processing, it may be loaded 
-into, and executed .by ..the CPU 155 at the same time it 
is -being loaded .and executed by the CPU 154. In a 
parallel .processing embodiment , ^ the different CPUs 154, 
t .155.-,are .ngrxnally re?pp>nsi]gle ..for creating' and 

- maintaining,^ in parallel , data jsets of different 
resolutions. . x For .example* CPU 154 .may be responsible 

^f or ^creating „and, maintaining the ..hourly and 6 hour 
^rnetwerkc traffic data sets while .the CPU 155 might be 

♦ -responsible -.for creating, the daily and weekly network 
. traffic data^sets. 

a^' - - For .the sake of simplicity the following 

x . ' uc;; ft-D vi-r«c-4 : cio . ? l v vz. v.; 

-discussion ,will_^ssume that -the routine 700 is executed 
( jDy the processor, 154. However, it is to be understood 
^that. f . ^a f s .disqussegl ^above, multi-processor 
implementations are possible. 

- — . Qperatipn, proceeds fro^n step 702 to "step 704 
wherein the CPU 154 creates hourly, 6 hour,"" daily and 
weekly FIFO data structures, one for each of the 

^different data, set resolutions to be supported. 
. Step. .^?04^ may^ involve, e . g.. , allocating data storage 
. records, to. serve, as buckets. For example, tfie hourly 
FIFO would comprise a plurality of buckets each' 
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corresponding to a one hour period of * -time . Each 
bucket may include several records ^ or- entries* each- 
corresponding to a different c6nvex ; satioh/i5rotbcbl 
^ pair. The daily FIFO would coiriprise a plurality of 
5 buckets' each corresponding to a different one" day' 

I period of time. As will be - discussSi below, . as time 
progresses, each bucket in the : FIFO : is billed. When 
all the records in the FIFO are filled, the records in 

r - _ . . ^. ...... .. 

the oldest buckets aire dvietwritten ;; tK(S!r"eby insuring 
10 that the process can' c on tihufe after the available- 

storage space' Is used. ' ' * v: ^ ' . : 5 

" Once the FIFO^' dMta strxictures are -created in 
step 7 V 04 \ operation " pr&<&eds v ^o* step TO 6 . -Tii : step 7 06, 
15 the buf £er : ' 1 : 7'3T ihtb* Whidh "collected -rtetwotK traffic 

data is placed /is' monitored * for 'network -tra f -fi<si da ta . 
Upon detecting that network traffic data has been 
placed Tritb 'bu to step 708, 

in step Yo'8 tKe* v fei*me stkiiips ^ ^ssdciat^ : wi ; th^ tto^ ^ - 

20 buf f eredaataf are Examined. - In steJp 7i0, ^Ke tHJtffered 

network traffic "da is a,is±gne'^^€6 : h^ ^ticluddd in 
individual' bucTcet^ "'in the" FiFO structures a& ^-function 
of .the. examined time stajfips. ^Thus, : data is placed in 
buckets, e. g.Y set's or ""groups "of records 'corresponding 

25 to the basic unit of "tiitie "supported, as a fujScfci^n of 

time stamps Xridfi eating the tiirie period" in which" the 
network traffic was monitored: Accordingly / -data - 
collection and reporting delays encountered 1 by -the 
management station 150 do not rieigatively imp^Lct^the 

30 accuracy of the ^created network traffic : database 



5 -59- 

. ^-SJbeps- 712, -714, .716, . 718 which, are 
iXlustrated .in : -parallel represent the updating of 
records : ineluded^in the. hourly f : six^.^ourly, daily and 
weekly, FIFO data, structures, respectively, using the 
5 same . set . of network traffic data.- Steps 712, 714, 716, 

;: 718 are illustrated, in*, parallel to show that they may 
•be performed in parallel, by one or more CPUs 154, 155. 

>. t - ■ - Operation proceeds from steps .712,, 714, 716 
10 and\71frto step 720 wherein the. ^ata obtained from the 

buffer 173, used to update the_ b^ourly,^ six hourly, 
daily and weekly data records, is deleted. Operation 
then* re turn^^fco, .monitoring, step. 7JD6, so that the 
y database updating proce^ss v .v?il,l T bf. pej f pmed a 
15 ;.cor^t-inuous i v basis r \^til> e • ST.- / . .ni^Agement, r 
v station v l 50* is -powered of 1 pr^reset. „ . , 

. : t V -j v .£As : .a : si^ the 

hourly and v 6 -hourly data, sets, consider hosts A through 
20 : ^:F f illustrated ig : £.ig r , : 2 as pQi^yters. 21 jV ,2^, 23^,^ 31, 
32, - z 33.^ ;.nespectiyely .. fljb^ bpx^s, An ^*>S-_ .9, ^ e P r ?.ff, nt 
r :- r database records, created &$pi . :Jt r raf f ^ip b^t r we^n, hp.sts A 
f ^ thrqugh ,E . £i : pashed. r lines ^ : e used tQ indicate^ different 
:r • > M OU^ly . time ^periods 90i„, .§02 .90^ 9 04 , 905 , 906 and a 
25 single.6 hour ly^ time .p^trip^ ,9,10., ,,Xn Fig. 9, the range 

c .of niunbers ajt the ..top r of : each time .period is used to 
indica t e the spec i f i c hour or hour s iiqc luded in the 
time % period, the„f irst .and second letters in each box 
^indicate . the two hosts, involved in the monitored^ 
30 conversation. . In addition, t the number 4_n the Jbox 

indicates the number of packets exchanged between the 
indicated hosts during the indicated time period. 
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: - The "first hourly time "period,: 1 beginning 3 1 
hour 0' and' ending at hour 1> correspbnds? t*o bucket 901. 
Two conversations were 5 detected 'diirihg th:is^:£irst 
hourly" time r period/ A <firs# conversation* between • 
5 devices A and B which involved 10 packets and a second 

conversation between devices A 1 aixid- "E which involved 6 

r. . ....... 

packets; ' The~ nunfcer of : bytes, in addition- i to "the .: 

* number j of packets, may ::c also be stored; -in each. Record of 
the d&tabkse 7^*7. - 'a .r a ■ 

j ^ - - - <~~> » . .. • - . 

J ™ Note- 1 that over : a 6-hour "period, ^6he hourly 

: ~ i^sbl\itfbft- dTatar 'set- -S2 0 ha& -si^ buckets " v ; 9 Oiithr ough 

* b 06 , dc^i^i^drri# to 7 irsfc ; through sixth hourly -3time 
periods; knd 'the -{Mifeiiirly ■ : datlk s£ t hafe r ^ne' bu'ckee sftl 0 

15 v " eoi-re^spcmding "to the v single : & hd\ir- -ItiirtS "pexibd/c -Note 
' 3 kisb tiikt' ilfe 2 f €-hbur : -bucket- 9-1-0 ~ii£s -more conversations 
■ " cuid ^iiSis lori' entries* than ^ any one o^f -the s individual 
hourly 1 bucket^ f 9 'thorough 906. -H<^reVex^A^the records 
in the six^ hc^£H3at^ 
20 " ~ Xh^ar ¥h£ '"hourly *S20^ sinc^ they do -Sot? ^include 
" : ~ d^Wil'ed' T^vtr^' 3 66n^&r^t±oh data - ssrr =>c \ 

' ~ " * " ~ In "¥ecl5r<^c^ ~wi tti ; one embodiment ^©f ^Eh£ 
present"^ is -limi-ted ^£6 iT coiiiplete 

25 data r^c6af<3s ^""ThixsV 0 data ; iri : ' : a giveii time 'periad-niay 

not be acc^^ed untril the record is -fully ^complete, 
i.e., airi^fe "clatsT ^frbrri the' system -probes r for -feh£ given 
time perx od^k's' tiS&i included in" the data Record? By 
restricting ac cress €b completed data 'records , J the^ 

30 ~ ^presentation c 6£ incbitvfylete data counts to an - 5 -^ 
application ot ' System : user is avoided. - : In -other -* 
embodiments, up to the minute data records are made 
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available : cto lthe ; user. - In -such entbodiirients , a user may 
review., e*. gu:,: : :the most recent data in. .the weekly 
database; despite; the: ; fact that : the collection of the 
data *■ for. the[- .current- week is not yet complete. 
5 . ;: r, . ■ .... ^ • » - ^ 

:« h .rAs-'* discussed above, as. the data at., a 

resolution ;f ills, the part -of the-. storage r space assigned 
? j :.to-tha;t -particular resolution,- the> data structure used 
to store the data records at the particular^ resolution 
10 operates as a FIFO data structure. Accordingly, the 

^oldest , database records, cprj^spojid^^ i;p, f the data set 
vir^.,of-_-th^rparti-QU-l.ar' resolution; j^lO^.b^ jr^us.eji -to stippe 
new [data, .-The hourly; data 'set- -tends- &o. t^e.. r the first 
;.resolutii3n^;.to -hij: : the database, si.?-e ; limi-t ,.wh$ri. the^ 
15 - ! ..avail-able cstorage space e f or jthet, dat^abasej. 7^7. ijs. equally 
Idi^ided;^ amongst -tfee ;fpur^su^ _sinpe it 

- -grows z the -:f pastes : However;, 7 given. .^imijt^d ,a^ail^>le 
zr :ts toxage; rspacer vail the, rr^plution^s; -wiXk ^rpach- tJiejLr 
r: j^limit ^given ^suf f icient p^erajtingt ri^ 1 ^ '^rf -^-^ »- 

20 . -illustrates^ an exen^la-^' Stead^ -s^a 

may be reached af ter^7 -weeks -^^^^ Q?^e : r e5cenrplary 

system 200. Note that in the Fig. 10 example, the 
database r inpludes enough -st9rage .space , to store hourly 
£ information ; f or -1 ,. ; 5 days r ,6 -.hourly. ^n^fp^ 4.5 
25 ■ .-days,; ;daily -inf prmation. for. ,9. days-and r wejBkly. . 

inf ormation ;f or r7 weeks .assuming ^the 0 ij%e_pf. the same 
- , A , ;.amount :/ of -storage for each pf ..the. dif |erent r 
v . resolutions . - Note that the .actual time penods for a 
given system~wi 11 ^depend, on ...the, number, q£ conversations 
30 which are. monitored ^ar^d the actual amopt of storage 

space- allocated^ for the database. 1QP . 
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What is claimed is : 1 ' 



1 1- . A method of using network traffic^ data probes in 

2 a computer, network including said" network traffic data 

3 , ; probes, th^ method coirprising the steps 6£z 

4 . - ^ detecting network traffic data, probes lii the 

5 computer network; ~" . "~ 

6 . controlling at least some of the* detected 

7 network traffic data probes to collect and store 

8. a network traffic data in one of a plurality' of network 

9 traffic data table formats/ the data table format "being * 

10 used with each individual controlled probe being the 

11 one of the plurality of data table formats that is 

12 supported hy the ^individual controlled probe that is 

13 closest to a preselected common "network traffic* data 

14 . format; and 

15 ^ periodically retrieving, from eacH" individual 

16 ^.^^PP^^P^^JS^^^ network "traffic "data the 

17 individual controlled probe/ " — 

1 2. The method of claim 1, wherein the step *6f " ^ 

2 controlling at least some of the detected "network" 

3 traffic data probes to collect and store network 

4 traffic data in one of a plurality of network traffic 

5 data table formats includes the step of: 

6 _ , se^ectin^ traffic data "Sable format 

7 which includes appliq^tion layer information over a 

8 network traffic data table .format that includes only 

9 ^ network la^er _ inf qrmtion, ' . 



IBNSDOCID: <GB 2337903A__I_> 



-63- 



1 3 . The method of claim 2 , , „ . . 

2 wherein the network traffic" pr obes are RM0N2 

3 _ r probes; arid 

4 " . ^ .wherein., the step of controlling at least some 

5 of the detected network* traffic data probes Vb collect 

6 . ai?d store network ^traffic data in one of a plurality of 

7 network traffic data table formats further includes the 

. • :r*-- 

9 „ selecting a network traffic data table format 

s'x'.-:* .:; rr- ^ " " : .:> '-'."cr:- . 

10 which includes delta count values over a network 
:ii - ^7^r:: 3.c. v i._v ?.:c oil x 2:;- /.c 

11 traffic data table format that includes absolute count 

12 values. 

1 .4. The method of claim 3, wherein the step of ; 

2 controlling at least some of the detected network 

3 traffic data probes to collect and store network 

4 _ . traffic data in one of a plurality of network' "tiraflEic 

5 data table formats further includes the step of: 

va bsr^.-i-- £:^5 vJ: 13 :.!: \ - .1 s^vz zcz t score: 6^1 r^^aco 

6 selecting a network traffic data table format 

7 which includes terminal count mode values over a 

8 network traffic data table format that includes all 

9 count mode values . 

1 .5. The method of claim i, 

2 wherein the network data probes' are 

3 RM0N2 probes; and 

4 wherein the step of controlling at least some 

5 of the detected network traffic "data probes ""to "collect 

6 ""and store network " traffic ""data * in 'one ^of a plurality of 

7 network traffic data table'formats "fur Cher includes the 

8 step of: 
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'"" ~ " selecting' a network traf ; f £e r data "teible format 
which includes del tk coiint' values Wfef'a 7 network 
traffic data table** forma f that i 'Ltidl^des'^s!os6i\ii^& count 
values . 

6. The method of claim 1, 

wherein the network ■•trafffc : dat^T^es^are 
RMON2 data probes;' aiicf " 

wherein tHe step of cdhtrolling- at l^ast some 
of the detected network traffic 'data probes to ^collect 
and_ store network traffic "data "iri 8ne of "I -plurality of 
network traffic data ~tabf£ * : f oiWtS ' further includes the 

step of: f --'-••.< - 

. ...u s ^^^£££ g - ^ netwoark^t^^ tabi*e 3 "f ormat 

which includes termi^^ 

network tVafffc '^ata tabled ormkt" that 'includes all 
count mode values. - ^. .> . -a .-.^ 

7 . ' The' method 1 of "claim : 1 /""wheriin^ AVt^orfe'" traffic 
data * probes~are MbM s probis^ J tfefe~ k%i£>^ o ? f r " cbn€:±oi : ling 
at least some of the def:ected^nfetWo f rl<r' traffi^data 
probes to collect'anS store' network traffic data 

including the step o£: — - ~« 

con troi ling J each individual probe'' to " u^"4 one 
of an alMatrixTopN (Terminal Mode), an 

alMatrixTopN(AHMode) , an alMatrix, a nlMatrixTopN and 
a nlMatrix data table format, the" utilized data table 
fprmat being selected in the fol lowing order of 
preference : aikatr ixTopN ( TeirninaT Mode ) ; ** 
alMatrixTopN (AllMode) , alMatrix, nlMatrixTopN %nd 
nlMatrix- 
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-.8 . ? r ..The method a o.f . ..claim 1 , further comprising; 

. . , . _ the,. : s ? tep of. proj:essincr_ retrieyed network 

- traffic ^data that, As npt in the preselected common 
network traffic "data format to place it in the 
preselected common network traffic data format. 

.,9.. ,,.. .Tie ^methQd .Qf claim 8 ,, 

wherein the plurality of network traffic data 
f orrpats JLnclude ,RMQN2 .management information base (MIB) 
formats, .which support counting of network 'traffic data 
musing r absolute\,counter values^, r 

- - ^„ wherein the preselected common network 
traffic data format includes the use of delta counter 

..values, the- step pf processing retrieved network 

- - . • j".r; ,.r t ow.7v " .3 & .C ~ ;:* ^ 

traff i-c- data , comprising the ..step of: 

r<-« o-^ r .converting absolute counter .values to delta J 

- . . x ^ ^ w w , ^ i . ..-.a., j T^rrx.^ J- z* ? so ;> .c ^ ,r • : ■ :* ^ ; *r " » , z* ■* <■ i 

counter values . 

, 10r. .. t The.,metJiod of claim, 9, wherein the step of 
converting., absolute counter values to delta counter 
valuers: includes, the steps of.: . .. 

. , , for. each retrieved absolute counter value to 
be converted, subtracting from. the absolute counter 
yalue^ toffee converted a previously retrieved absolute 
counter value., to generate e delta counter value. 

11 ... The. method of claim 9 , 

t. . , . .^herein, .the commoTi data^ format includes the 
use of terminal . count mode values for application layer 
dat^ -cojants,. . ^ 

wherein at least some of "the Retrieved'''" 
network traffic data includes all count mode" values for"' 
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7 application layer data counts/ the" method 1 f ufrth^r' 

8 comprising the step of : :' r " v: " 1 ' ' " ' ; *~ 

9 converting received all count mode values to 
10 terminal count mode "values. . » 

1 12 . The method of claim 11, further " cort^prising the 

2 steps of : 

3 storing retrieved network traffic data that 

4 is in the common data format ' in a buffer; "and 



5 storing retrieved network traffic data that 

6 has bee 

7 buffer. 



6 has been converted "to the common data f bittriafc in the 



1 13. The method of claim 12, further'' comprising' the 

2 step of: ^ " '■-" i: -* 4 ^' ' 1 

3 generating* a graphic image representing 

4 network traffic data "using the ^ buffered "network traffic 

5 data; and 

6 displaying the graphic Image' on* a Hi splay 

7 device. 

1 14 . The method of " claim"" 12 * further comprising the 

2 step of : ' ~ ~ "~ ' " " "' " ' w '~* " 1 v " ~ - r * 

3 generating a database of "network traffic 

4 information from the buffered network traffic data, the 

5 database comprising a plurality of network traffic data 

6 s.ets of . differing degrees of data resolution 

7 corresponding to overlapping network traffic* time"" 

8 periods. 



1 15. The method of claim 14, wherein" each" traf f ic data 

2 count in the buffered network traffic data is used to 
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update or. create one data record in each of the 
plurality of network traffic data sets. 

16. The method of claim 14, further comprising the 
step of storing each of the plurality of network 
traffic data sets in a dif f erent f irst-in, first-out 
data structure . 

17. A method, of utilizing RM0N2 data probes capable of 
^supporting a plurality of network traffic data tables 

in a conputer network, the method comprising the step 
Of: ~ - • ~ V ' ' . " • " *~ . " j 

collecting from each of the RMON2 data probes 
a, network traf fic data table including network traffic 
information; 

processing the contents of each collected 
network traffic data table which does not include 

network traffic information in a preselected data 

r. -rs ' \ b ,v £ ^ 

format to generate a , network traffic data table in the 
preselected data format. 

18. The method of claim 17, wherein the step of 
processing the contents of each collected network 
traffic data table includes the step of: 

, : -...v. converting absolute count values to delta 
count values. 

19 . Th^ v jnethod of claim 18, further comprising "the 
step of : 

converting all count mode values to terireLnal 
count mode values. 
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1 2 0. The method of claim 18 ; whfereiri " the 1 step* of - ' 

2 collecting from each' of the RMON2 dat^ probes a* network 

3 traffic data "table* includes 1 ' the step of : L " : - 

4 configuring * each of the RMON2' data' probes 

5 which support alMatrixTop&{Teinctiinal 6ount M6d;e) tables 

6 to collect network traffic data in ah r ' ' : '' :c:: 

7 ^ alMatrixTopN (Terminal Count Mode) table. 

1 21. The method of claim 17, wherein thb stfep o : f ' ' 

2 collecting from each" of the RM0N2 data probes a network 

3 traffic data taible" includes ^ the stejb*' of : ; " ~ ~ ^ ~" : 

4 configuring each of the" RMON2 data probes 

5 which support alMatrixTopN{ terminal Count Mode)" 1 tables 

6 to collect network traffic data in an 

7 alMatrixTopNt Terminal Count kbde) tableV 1 

1 22. The methocl 'of claim 1LT', furth'^t"icbn^ri^ng 'the 

2 s1 : e P °? : : ^ : * v — — — - ^::cw:^,c ; 

3 network" traf fic" daj£a converted into the 

4 preselected common data format. " ' 

1 23 . A computer network including:"^ - r L ° f " " 

2 _ . , a plurality of network data probes for 

3 monitoring network data in the computed network/ the 

4 improvement comprising: " 

5 .„,-„. a management ^tatioh coupled' to the network 

6 data probes, the management "station includirig: 

7 means for identifying probes in the 1 computer 

8 network; 

9 means for configuring a" set* of individual 

10 identified network probes to collect network "traffic 

11 data, each one of the set of individual network probes 
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i2 supporting,, multiple, network traffic .data table formats, 
13.--. each one of tlje:, individual probes being configured to 

14 collect data _ in _ the one of the tabl.e formats that is 

15 supported by. the individual probe which requires the 

16 least, modification, to pl^ce^the collected data in a 

17 common preselected <Jat;a format. . _ - . r- 

1 24. The computer network of claim 23, further 

2" comprising;,.- ; 

3 . , me^ns for processing .the contents of network 

4 traffic data tables obtained from. probes" to generate 

5 ..network traffic data tables having the . common 

6 ^ : pre^elepted data format: ...^ .,, r _ 

1 25. The computer netv/ork of claim 24, wherein the 

2 common preselected data format includes delta count 

3 valp.es, and . Jterjninal count mode values K the computer 

4 network including: 

5 A J5t.Qr.aae device, for storing absolute counter 

6 values between data collection, operations for 

< z nof;:^::c ^e:;.^-?.' - *. 

7 subsequent use in generating delta count values from,; 

8 absolute counter values . 

1 ..26., r „. The computer network of claim 25*,' further 

2 comprising: 



3 means for displaying collected network 

4 traffic data placed in the preselected common data 

5 - ...format . 



1 f ?7.. The computer network of claim 25, further 

2 . comprising 
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3 means for printing network traffic data 

4 placed in the preselected common data format. 



■7 . - .■/:> 
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